Académique Documents
Professionnel Documents
Culture Documents
OCTOBRE 2019
Contents _
INTRODUCTION.................................................................................................. p. 4
EXECUTIVE SUMMARY.................................................................................. p. 6
ATTACKERS GROUP........................................................................................p. 12
INDEX......................................................................................................................p 202
REFERENCES....................................................................................................p 208
NOTES.................................................................................................................... p 226
3
Introduction _
T
he cyberthreat landscape is becoming ever This report is the first of its kind in the world in
more complex, and with exponential growth terms of the quality of its content. It is the result
in the volume of threat-related information, of thousands of hours of information gathering,
it is becoming impossible to manage this complexity cross-checking and analysis by our teams of experts,
without efficient tools and methods. How to extract who have conducted an in-depth investigation
the right set of data from this deluge of information? of attackers’ motivations and techniques over a
How to focus on the most relevant pieces of this significant period of time.
giant puzzle? How to see the big picture? These
are crucial questions for organisations and their In order to make the report a real operational tool
cybersecurity stakeholders, from operational teams and not just an inventory of existing cyberthreats, we
managing Intrusion Detection System or Security have not set out to be exhaustive. On the contrary,
Operation Center to strategic decision-makers. we have selected the groups that, in our opinion,
deserve the most attention. To do this objectively,
Cyberthreat technical analysis and the creation we designed an exclusive scoring methodology (see
of meaningful detection signatures are part of the page 8) and established individual ratings cards
answer. This first edition of the Cyberthreat Handbook for each group of attackers.
attempts to explain the value of cyberthreat technical
analysis, and cyberthreat intelligence more broadly, As the report is intended for a broad audience,
by providing insights about some of the most each ratings card reflects a wide variety of data
impactful groups of attackers. ranging from general and historical descriptions to
a mapping of Tactics, Techniques and Procedures
(TTPs).
5
Executive Summary _
P
roduced by Thales and Verint, the their nuisance and/or destruction capacities, explaining its Tactics, Techniques and
Cyberthreat Handbook is an original their difficulty in detection, their agility and Procedures (TTP) according to the matrix
proposal for an environmental their own or higher interest motivations. It developed by MITRE ATT&CK*. By the
analysis of the cyberthreat landscape. This would clearly be illusory to hope to map same token, the objective is to be able
is a dynamic directory which, in its first all known attacker groups, first because to formally identify a group at the time
version, aims to provide a synthetic and they are extremely numerous, and also of an attack by a detailed knowledge of
rigorous analysis of 66 groups of attackers because attack modes are sometimes its habits.
of global importance today. This work in strongly replicated from one group to
T
no way claims to be perfectly exhaustive. another. For example, the IceFog backdoor he Cyberthreat Handbook thus brings
The aim is to provide an introduction to of the Chinese group of the same name together analyses of nearly 490 attack
cyberthreats from open sources that Thales has been widely distributed and used by campaigns conducted in some 40 activity
and Verint consider reliable. other groups of Chinese origin. Effective sectors in 39 countries by 66 attackers of
as this program may be, the simple fact various kinds (49% state-sponsored, 26%
In the form of dedicated ratings cards, the of using it is not enough to justify the hacktivist, 20% cybercriminals and 5%
report sets out to familiarise the reader inclusion of all the groups that might be terrorists). Most often, state-sponsored
with groups of different profiles. There in a position to use it. By its very nature, groups focus on stealing sensitive data
are cyber-attackers sponsored by Nation the cyber threat landscape also a highly from geopolitical targets of interest and/or
States, high-flying cyber-criminal groups, complex matter to study, with many cyber critical infrastructure providers, generally
hacktivist groups and cyber-terrorists. This attackers operating in the shadows, with using backdoor techniques. Hacktivists
panorama shows that the threat is extremely a clear desire to conceal themselves. pursue ideological motivations (community,
diversified, both technically, with varied modus
religious, political, etc.), denouncing facts
operandis, and in terms of performance, The attacker groups profiled in this report
deemed unacceptable by conducting
some of them demonstrating an extremely all have one thing in common: they are
DDoS attacks, proselytising or spreading
high level of technical sophistication such all significant attackers, in terms of the
disinformation through defacement. What
as the ATK91 group (Xenotime, Triton, number of campaigns conducted, the
we call cybercriminals are groups seeking
TEMP.Veles) capable of infiltrating and technical competence they demonstrate,
substantial financial gains, for example
manipulating critical infrastructure and the agility of their operating methods and
through the use of ransomware. Finally,
industrial control and security systems the strength of their motivations. In a
cyber-terrorists either have a proselytising
(ICS) with its Triton malware. word, they are all determined opponents,
approach, in order to find new adepts,
capable of carrying out significant attacks.
Several criteria have been used to define or seek to destroy data, with the use of
Their level of "performance" is variable, as
what we call the importance of these wipers for example, or infrastructures,
indicated by the scoring system we have
threats. Some groups will be considered with defacement and the use of publicly
established for the purposes of this report.
relevant because of their recent nature available pentest tools.
For each of these attackers, we provide a
and performance. In this respect, ATK120 brief description. We detail their names in Analysis of this broad range of attackers
(Lyceum/Hexane), discovered at the end the various known sources, their nature makes it possible to reconstitute the
of August 2019, makes a sensational (state-sponsored, criminal, hacktivist or idiosyncrasies of certain types of groups.
entry into the cyberthreat landscape and terrorist), their known targets in terms of The most virulent and well-trained attacker
has been integrated into this work in this sectors of activity and geographical areas, groups do not necessarily develop their
regard. Others have not been active for the language they use and their assumed own malware, for instance. Most use
several years, but their status as Advanced origin, motivations and objectives. We malware developed by others, who make it
Persistent Threats (APT), characteristic of also contextualise the activity of some a specialty. Some design digital weapons,
state-sponsored groups and their past groups in light of international events that others use them as part of a well-structured
campaigns, leads us to consider them as may have occurred during their attack offensive strategy. Groups of Chinese
still part of the same landscape. Nor can campaigns. These same campaigns origin, for example, have thus developed
the ATK2 group (APT17), for example, are also detailed and illustrated in a a habit of sharing their most successful
whose campaigns seem to have weakened timeline for each of the ratings cards in malware with other groups. The other
in intensity since 2014, be ignored since order to trace known activity. Each card growing trend is the purchase of botnet
during its last campaign it managed to also explains the malware used, whether malware on the Dark Web from the highest
compromise the websites of the GIFAS, the specific to the attacker group or used by bidder to distribute much more developed
French aerospace industry association, and others, the legitimate tools used and the malware in a second phase.
the systems of some of its members. More vulnerabilities exploited. Finally, we dissect
generally, groups are chosen because of the attacker's usual modus operandi by *https://attack.mitre.org/
T
attacks to a particular group and leads he Cyberthreat Handbook also proposes
most observers to amalgamate them tell us a lot about the typical profiles that
emerge from the analysis. More than half of to offer a new and accurate vision of
under the generic name of Lazarus. the cyberthreat landscape by establishing
These "geographical" specificities can be the groups target government institutions,
often defence organisations, followed by the a scoring by attacker based on the MITRE
explained, as in the case of North Korea ATT&CK matrix. The purpose is to illustrate
or China, by the fact that these attacker financial, transport, energy and aerospace
sectors. It is not surprising that the most the level of threat represented by each.
groups communicate with each other and This is the second main purpose of this
share attack techniques, often because competent and motivated opponents are
primarily targeting states, their defence report: to provide a quantified estimate of
they are sponsored by the same state the level of threat posed by attackers. By
entities. They are also sometimes based capabilities and all the major players in
this sector. These attackers, most of whom knowing their usual tactics, we can establish
on technical limitations (for example, the whether the potential for nuisance and/
relative unavailability of the Play Store in are themselves state-sponsored, carry out
targeted attacks on geopolitical rivals or or destruction is more or less important
the Middle East), which directs attackers with regard to their techniques (whether
towards certain modus operandis rather their strategic operators. Finance is the
second sector most affected by attacking these techniques are more or less easy
than others. However, this geographical to implement, whether they allow the
characterisation of attackers through groups. Essentially cyber-criminals, these
profiles are driven by a quest for significant attacker to control all of part of a system,
the tools used is not systematic. Russian whether attackers focus on a limited range
attackers, whose motivations are varied, financial gain. Their offensives are therefore
global and target all players in the global of techniques or an elaborate arsenal,
use the full cyber arsenal at their disposal, and whether they can change techniques
for example. financial system. To our knowledge, 137
different geographical areas have been regularly and demonstrate a high degree of
targeted by attacker groups in this sector. agility). All these indications are objective
This broad analysis also makes it possible
The same applies to attacks against major parameters that allow us to build an
to identify trends in technical behaviour.
energy players, most often multinationals, indicative score for each attacker.
In the context of supply chain attacks,
for example, as the global defences of with 24 attackers affecting 106 countries,.
organisations are strengthened, attackers The energy sector has also been the
are forced to put in place more elaborate subject of very diversified attacks, with
tactics to circumvent them. These attacks our analysts identifying more than 230
therefore remain very effective and there different malware families in use cases.
is a large increase in indirect attacks, This is probably due to the increasing
passing through the suppliers of the number of compromises on proto-IoT
various organisations. These are then used or SCADA systems, on which attacks are
as trojans. They may be the company's also developing in the transport sector.
usual service providers to target computer
7
Executive Summary _
The 12 tactics of
the Mitre
Example of
a technique used
by the attacker
group considered
among the
68 techniques
of the Mitre.
On this example the attacker group uses 11 tactics among the 12 of the Mitre and 44 techniques.
9
Executive Summary _
*https://attack.mitre.org/
Exfiltration
Opponents try to steal data.
Exfiltration consists of techniques that
opponents can use to steal data from your
11
Attackers Group _
DESCRIPTION CAMPAIGNS
ATK7 is an attacker group that exists since way: Their campaigns are not designed in 2008 - Campaign against Chechnya
at least 2008 and that is believed to act order to be discrete, but to be distributed The first campaign attributed to APT29 was
for the Russian government. The group is to many victims, followed by deployment the two PinchDuke attacks in November
composed of highly competent members of a malware that will quickly grab and 2008. These attacks were associated with
that are well organized, allowing for exfiltrate every potentially interesting fake Turkish websites, the first one mimicking
complex and long-running campaigns. information. When a victim of interest has the “Chechan [sic] Informational Center”,
The group's main goal is espionage and been unmasked, the group will then often the other claiming to provide “news from
intelligence collection. The group therefore switch to a different, stealthier malware, the jihad world” with a section dedicated
targets Western organizations, with a designed for long-term persistence, in to Chechnya.
special focus on governmental bodies, order to gather intelligence.
think tanks… It has also occasionally In recent years, the group has been leading 2009- Campaign against West
expanded its reach to governments in the these campaigns bi-annually. countries
Middle East, Asia, Africa, etc. In order to During 2009 the Dukes targeted
The group is suspected to be responsible
reach its goal, the group has used multiple organizations such as the Ministry of
for the 2015 hack of multiple governmental
families of malware. Defense of Georgia and the ministries
institutions in the USA, including the White
The group aims to act fast, albeit in a noisy House, the Pentagon and the DoS. of foreign affairs of Turkey and Uganda,
U.S.-based foreign policy think tank,
organizations linked to a NATO exercise
in Europe, the Georgian “Information
Centre on NATO”, government institutions
in Poland and the Czech Republic. They
seem to be interested in political matters
TOOLS, MALWARES AND VULNERABILITIES related to the United States, the North
Atlantic Treaty Organization and by
Malwares Legitimate software Exploited vulnerabilities gathering information on the Georgia-
CloudDuke None CVE-2010-0232 NATO relations. It is worth noting that the
CosmicDuke attacks on the US-based think tank, as
CozyDuke well as government institutions in Poland
GeminiDuke and the Czech Republic began few days
HammerDuke after Barack Obama, the US President,
MiniDuke spoke about missile defenses deployment.
OnionDuke
2010 - Campaign in the Caucasus
PinchDuke
SeaDuke The spring of 2010 saw continued PinchDuke
campaigns against Turkey and Georgia,
but also numerous campaigns against
other members of the Commonwealth of
Independent States such as Kazakhstan,
Kyrgyzstan, Azerbaijan and Uzbekistan.
Dukes arsenal expansion campaign in 2011
By 2011, the Dukes had already developed
at least 3 distinct malware toolsets, including
a plethora of supporting components such
as loaders and persistence modules. In
fact, as a sign of their arsenal’s breadth,
they had already decided to retire one
of these malware toolsets as obsolete
after developing a replacement for it,
seemingly from scratch.
Russia
2013 - Campaign against European and more targeted operations using the 2008
CozyDuke had been under development to be from the US Department of State. CozyDuke
since at least the end of 2011, it was not The group compromised the website of Jan-2015
Jan-2015 Jan-2015
Jan-2015
until the early days of July 2014 that the a hospital and a consulting company in 2015
Campaign with
CozyDuke
Campaign Campaign
Campaign with
against Poland agaisnt the
first large-scale CozyDuke campaign that order to send their messages. For this SeaDuke and CloudDuke
and Georgia USA
HammerDuke
we are aware of took place. campaign, the group used the CobaltStrike
Beacon malware, using malicious Windows
2014 - Campaign with OnionDuke Shortcuts. 2016
botnet
The purpose of the OnionDuke variant
spread via the Tor node was not to pursue
targeted attacks but instead to form a 2017
small botnet for later use.
2015 - Campaign with CloudDuke
In July 2015, ATK7 conducted a large-scale Jan-2018
2018
phshing campaign using CloudDuke, a Campaign
15
Alias _ Threat Actor _ Targeted Sectors _ Motivations
91
APT 29 Cyber Criminal Defense & Objectives _
ATK7
COZER Cyber Terrorist Government Agencies Cyber Espionage
COZY BEAR I nternational Data Theft
COZY DUKE Hacktivist
COZY CAR Organizations
DUKES State Sponsored
EUROAPT
GROUP 100 Unknown
HAMMER TOSS
MINIDIONIS Language
OFFICE MONKEYS Russian
SEA DUKE
THE DUKES
YTTRIUM
Assumed origin of the attacker
Russia
17
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT 28 Cyber Criminal Aerospace & Objectives _
80 ATK5
FANCY BEAR Cyber Terrorist Cybersecurity Espionage
GROUP 74 Defence Political Manipulation
GROUP-4127 Hacktivist
IRON TWILIGHT Embassies
PAWN STORM State Sponsored
SNAKEMACKEREL Government Agencies
STRONTIUM Unknown
Language
SEDNIT Hospitality
English
SOFACY I nternational Russian
SWALLOWTAIL
TAG_0700 Organizations Georgian
TG-4127 Media
TSAR TEAM
Assumed origin of the attacker
DESCRIPTION
ATK5 is a Russian state-sponsored group or citizens, geopolitics. They also have been implicated
of attackers operating since 2004 if not Eastern European governments, in the U.S. presidential election attacks
earlier, whose main objective is to steal in late 2016.
Security organisations.
confidential information from specific targets The 2016 attacks were visible and disruptive
such as political and military targets that The attack of the Georgian Ministry of
but in 2017 the group operates a great
benefit the Russian government. It is a Defense can be a response to the growing
change to more stealthy attacks to gather
skilled team which has the capabilities to U.S.-Georgian military relationship. In
intelligence about a range of targets.
develop complex modular malwares and 2013, the group targeted a journalist
which is a way to monitor public opinion, One of the striking characteristics of ATK5
exploit multiple 0-days. Their malwares are
spread disinformation or identify dissident. is its ability to come up with brand-new
compiled with Russian language setting and
0-day vulnerabilities regularly. In 2015,
during the Russian office working hours. During 2015 and 2016, this group’s activity
the group exploited no fewer than six
Despite number of public disclosures from has increased significantly, with numerous
0-day vulnerabilities. This high number
European governments and indictments attacks against government departments
of 0-day exploits suggests significant
from the U.S. Department of Justice, this and embassies all over the world.
resources available, either because the
adversary continues to launch operation Among their most notable presumed targets group members have the skills and time to
targeting the political and defence sector are the American Democratic National find and weaponize these vulnerabilities, or
in Europe and Eurasia. Committee, the German parliament and because they have the budget to purchase
Between 2007 and 2014, ATK5 had three the French television network TV5Monde. the exploits. In addition, ATK5 tries to
kind of targets: ATK5 seems to have a special interest in profile its target system to deploy only the
Georgian government agencies (Ministry Eastern Europe, where it regularly targets needed tools. This prevents researchers
of Internal Affairs and Ministry of Defence) individuals and organizations involved in from having access to their full arsenal.
Russia
CAMPAIGNS
2008 - Compromise of the US Department 2014 - 2016 - APT28 uses Android X-Agent August 2015 - APT28 targets Russian
of Defense network to track Ukrainian artillery rockers and dissidents Pussy Riot
2008 - Cyber-attacks accompanying Georgian Operators of the Ukrainian artillery D-30 used APT28 targets Russian rockers and dissidents
invasion an Android application to simply target. This Pussy Riot via spear-phishing emails.
application was compromised using an Android
2011 - APT28 use lure written in Georgian version of X-Agent. The malware does not interfere March 2016 - APT28 targets Hillary Clinton
with the function of the application, but it was Presidential Campaign
October 2011 - Spearphishing of the French In March 2016, APT28 launched a spearphishing
Defense Ministry able to gather intelligence about the team, their
hierarchy and get an approximative position. campaign using Bitly accounts to shorten malicious
January 2012 - Spearphishing on the Vatican URLs. The targets were similar to previous
embassy in Iraq February - April 2015 - APT28 compromised campaigns but also included email accounts
TV5Monde linked to the November 2016 United States
Mid-2013 - Targeting the Georgian Ministry On April 8, 2015 at 8:50 p.m. CET, TV5 Monde's presidential election such as people managing
of Internal Affairs broadcasting infrastructure was the target of a Hillary Clinton's communications, travel, campaign
September 2013 - Spearphishing on Military cyber-attack. The channel's Twitter and Facebook finance, etc.
officials accounts were also hacked. Messages of support
for the Islamic State in English, Arabic and French April - May 2016 - APT28 targets the
Late-2013 - Targeting a Journalist Covering are published, as well as documents presented Germany’s Christian Democratic Union
the Caucasus as identity documents and CVs of relatives of May 2016 - Spear-phishing attack against
Late-2013 - Targeting an Eastern European French military personnel involved in operations a U.S. government entity
Ministry of Foreign Affairs against EI. In June, the media revealed that the On May 2016, APT28 sent e spear-phishing
investigation was moving away from the jihadist email to a U.S. government entity using an email
January 2014 - Spearphishing on Pakistani trail, seen as a decoy, and towards that of APT28.
military officials address belonging to the Ministry of Foreign
The cyber-attack has similarities to the group's Affairs of another country.
August 2014 - Attempt to compromise the modus operandi, use common servers and the
Polish government source code would have been typed on a Cyrillic Spring 2016 - APT28 attacks the U.S.
APT28 used a lure about hostilities surrounding keyboard at times corresponding to office hours Democratic National Committee
a Malaysia Airlines flight downed in Ukraine in in St Petersburg and Moscow.
Summer 2016 - APT28 attacks the World
a probable attempt to compromise the Polish April 2015 - Operation RussianDoll Anti-Doping Agency (WADA)
government. The target firm is an “international government November 2016 - APT28 targets the
September2014 - Typosquatting ofEuropean entity” in an industry which APT28 is known Organization for Security and Co-operation
defense exhibition to have targeted in the past, said FireEye. The in Europe (OSCE)
In September 2014, APT28 registered a domain attack also uses a malware variant that shares
characteristics with APT28 backdoors. July 2017 - APT28 targets the hospitality
(smigroup-online.co[.]uk) that appeared to sector in Europe and Middle East
mimic that for the SMi Group, a company that April-Mai 2015 - Attack on the German
plans events for the “Defence, Security, Energy, Parliament October 2017 - Spearphishing using a new
Utilities, Finance and Pharmaceutical sectors.” lure document about the Cyber Conflict U.S.
During this operation, the attacker did not try
Among other events, the SMi Group is currently conference
to hide their trick or to maintain access to the
planning a military satellite communications compromised as we can see during a long- February - October 2018 - APT28 attacks
event for November 2014. term operation. This operation seemed to be various Ministries of Foreign Affairs around
October 2014 - September 2015 - Operation opportunistic and quickly executed to exfiltrate the world
PawnStorm as much data as possible. PaloAlto detected three waves of attacks in February,
Operation Pawn Storm is an economic and political March and June 2018 targeting government
May 2015 - APT28 targets the Ukrainian
cyber-espionage operation that targets a wide organizations dealing with foreign affairs in
Central Election Commission
range of entities, like the military, governments, different geopolitical regions. This operation
defense industries, and the media. Summer 2015 - Sofacy attack waves continued with another wave in October.
During this operation, APT28 intercepted email These attacks targeted the NATO, the Afghan
traffic from the Kyrgyzstan Ministry of Foreign Affairs. Ministry of Foreign Affairs and the Pakistani Military
Nov-2016
APT28 targets the Organization for Security and Co-operation in Europe (OSCE) 19
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT 28 Cyber Criminal Aerospace & Objectives _
80 ATK5
FANCY BEAR Cyber Terrorist Cybersecurity Espionage
GROUP 74 Defence Political Manipulation
GROUP-4127 Hacktivist
IRON TWILIGHT Embassies
PAWN STORM State Sponsored
SNAKEMACKEREL Government Agencies
STRONTIUM Unknown
Language
SEDNIT Hospitality
English
SOFACY I nternational Russian
SWALLOWTAIL
TAG_0700 Organizations Georgian
TG-4127 Media
TSAR TEAM
Assumed origin of the attacker
Russia
21
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT-C-00 Cyber Criminal Administration & Objectives _
77 APT32 Communication Espionage
Cyber Terrorist Financial Services
ATK17
Hacktivist Government Agencies
COBALT KITTY High-Tech
OCEAN BUFFALO State Sponsored International Organizations
OCEAN LOTUS Legal Services
Unknown Manufacturing
SEALOTUS
Media Language
SECTORF01 Military Unknown
Naval
Research
Assumed origin of the attacker
DESCRIPTION
ATK17 is a Vietnamese group that leverages tools. This group is known for the diversity MacOS). He is highly adaptable even
a nearly continuous espionage campaign of the lures that it uses in order to target its when discovered and has used multiple
against various but well-defined targets, victims. It is an active group, with diverse CVEs in order to reach its goals.
while maintaining a developed arsenal of tools on multiple platforms (Windows and
Viet Nam
CAMPAIGNS
2010 - First mention of APT32 Civil Service, National Assembly - Senate 2014
2014
The first mention of a Vietnamese attacker Relations and Inspection, Social Affairs, Germany, 2014
group dates from a Google report from Veterans, and Youth Rehabilitation as Manufacturing
Southeast Asia,
2010. At that time, the group deployed a well as the National Election Committee dissidents in
Vietnamese
relatively simple malware embedded in a and the National Police of Cambodia, 2014 diaspora
Vietnam,
Vietnamese keyboard software. This malware Various Chinese private companies, Network Security
was used in order to conduct denial of A province website in Laos, as well as the 2015
service attacks against blogs belonging Ministry of Public Works and Transport,
to activists, as well as Espionage on them. 2015
The Army and Office of the President China
Evolution of the group to an Advanced of Philippines.
Persistent Threat (APT) group. In November 2018, a new wave of
2015
Vietnam,
By the end of 2013, the group used a whole compromised websites was discovered, Media
new set of tools to spy on EFF staffers and containing, among others:
Associated Press reporters. This toolset Multiple media websites and blogs in 2016 2016
was used exclusively for Espionage, and Vietnamese, Philippines,
the DDoS possibilities that were present in 2016 Consumer products
previous iterations are no longer present. Vietnamese websites about religion, Philippines, IT
2016
Various ministries in Cambodia, USA, Consumer
Widening of APT32’s scope. 2016 products.
A golf club in Phnom-Penh,
Between 2014 and 2017, the group Vietnam, Banking
2016
developed its potency in two ways. Firstly, The websites of the Former Vietnamese
Vietnam, Media
its arsenal gained new tools, dubbed Prisoners of Conscience, 2017
2017
Windshield, Komprogo, Soundbite, Denis, A Cambodian newspaper. Australia,
Phoreal and an unnamed outlook backdoor. Dissidents in
APT32 changes its delivery method. Vietnamese
Secondly, the group changed the scope diaspora
In 2018, the group was seen using new 2017
and the target distribution of its victims:
methods in order to deliver its malwares: Philippines,
While continuing its attacks on political Government
At the time the campaign was discovered, The Cambodian youth federation,
we notably find: The ASEAN, in Thailand, probably in
Various domains related with the ASEAN, prevision of the 34th ASEAN Meeting
in Bangkok, Thailand, on June 2019.
The ministry of Foreign Affairs, Environment,
23
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT-C-00 Cyber Criminal Administration & Objectives _
77 APT32 Communication Espionage
Cyber Terrorist Financial Services
ATK17
Hacktivist Government Agencies
COBALT KITTY High-Tech
OCEAN BUFFALO State Sponsored International Organizations
OCEAN LOTUS Legal Services
Unknown Manufacturing
SEALOTUS Language
Media
SECTORF01 Military Unknown
Naval
Research
Assumed origin of the attacker
Viet Nam
25
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT34 Cyber Criminal Aviation & Objectives _
79 ATK40 Education Cyber Espionage
Cyber Terrorist
ATK58 Energy
CLAYSLIDE Hacktivist
Financial Service
CRAMBUS State Sponsored Government Agencies
HELIX KITTEN
Unknown High-Tech
HELMINTH
Hospitality Language
IRN2
Unknown
OILRIG
TWISTED KITTEN
Assumed origin of the attacker
DESCRIPTION
ATK40 (OilRig, APT34) is an Iranian and control server to stay under the radar. quality of his lure documents.
cyberespionage threat actor active since In early 2017, the group demonstrate the DragoS considers that ATK40(OilRig) and
at least 2014 primarily operating in the ability to use digitally signed malware ATK59(Greenbug) are the same threat
Middle East region. The group targets as a spread through fake websites (University group and carried out initial preparations
priority the financial institutions of the Sunni of Oxford conference sign-up page and and network intrusion in advance of the
Gulf States, but also the United States and a job application website). PaloAlto Shamoon event. This group test regularly its
Israel, traditional geopolitical opponents observed an overlap in C&C IP address samples on anti-virus testers like VirusTotal
of the Republic of the Mullahs. During used by OilRig and used by Chafer for to determine on what content of their
the OilRig campaign in 2016 against his Remexi backdoor C&C, suggesting malwares are detected. This technique
financial institutions in Saudi Arabia, the that these groups are one entity or that helped to build nearly undetected samples
group demonstrate capabilities to adapt they share resources. Furthermore, the but allowed researchers to follow the
its procedures and to use multiple delivery similarity between the malware ISMAgent modifications. In April 2019, multiple
methods, particularly through well-crafted used by OilRig and ISMDoor used by OilRig tools are leaked on a Github
spear-phishing messages relevant to the GreenBug (ATK59) suggest a link between repository, including BONDUPDATER,
interests of targeted personnel and custom these groups. the TwoFace WebShell and webmask, a
PowerShell implants like the Helminth This actor shows high capabilities of tool linked to DNSpionage. This leak is
backdoor. He relies heavily on the human adaptation, creating new custom delivery followed in June 2019 by another about
factor for the initial access. After the firsts documents and backdoor and using the tool Jason.
report by FireEye and PaloAlto, the group multiple TTP to re-infect previous targets OilRig infrastructure is continuously
has been actively updating his tools and who took actions to counter their known growing but overlaps with previously
expands his scope of targets (Qatar, TTP. We did not observe this actor using used infrastructure. The group reuse his
Turkey, Israel and United States). The a zero-day exploit, but it quickly used the tools, use the same attack protocols and
group continue to use communication CVE-2017-0199 and CVE-2017-11882 has a consistent victimology which makes
though DNS Tunnelling to the command which are widely used to improve the it easy to track down.
Iran
CAMPAIGNS
2015 - October2016 -Wave ofemails August 2017 - Use of ISMInjector to 2015
in Saudi Arabia. In October 2016, PaloAlto the United Arab Emirates government.
observed the improvement of Clayslide
and Helminth. The group started to target January 2018 - Attack against 2016
fake registration tool. agency in the Middle East. This attack ISMAgent
delivering ISMAgent
Telecommunication sector
In July 2017, PaloAlto observed an attack
In November 2018 CrowdStrike observed
targeting a Middle eastern technology
OilRig targeting the telecommunication
organization which has been already
sector. While it used his known TTP, this
targeted during the campaign of August
activity represented a shift in targeting.
2016.
We can suppose that this attack came in
support of another operation.
27
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT34 Cyber Criminal Aviation & Objectives _
79 ATK40
Cyber Terrorist Education Cyber Espionage
ATK58 Energy
CLAYSLIDE Hacktivist
Financial Service
CRAMBUS State Sponsored Government Agencies
HELIX KITTEN
Unknown High-Tech
HELMINTH Language
IRN2 Hospitality
Unknown
OILRIG
TWISTED KITTEN
Assumed origin of the attacker
Iran
29
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK6 Cyber Criminal Aviation & Objectives _
76 CROUCHING YETI Defence Espionage
Cyber Terrorist
DRAGONFLY Energy
DYMALLOY Hacktivist
ENERGETIC BEAR State Sponsored
GROUP 24
Unknown
HAVEX
Language
KOALA TEAM Unknown
IRON LIBERTY
TG-4192
Assumed origin of the attacker
DESCRIPTION
Dragonfly is a cyber espionage group uncomfortable, especially since Russia the context of the crisis prompted Russia
that has been active since at least 2010. has been supplying more than a third of to change its pressure strategy by raising
They initially targeted defense and aviation the imported natural gas since 2010. In the price of gas for the country by 44%
companies but shifted to focus on the energy 2009, it was therefore decided to diversify on 1 April 2014 (in 2013 it imports half
sector in early 2013. Dragonfly's activities the sources of supply by reinvigorating the of its consumption from Russia). Three
can be separated into three periods: Nabucco alternative gas pipeline project days later, a new increase is decided for
2010-2013, the beginning of its activities (from Iran and avoiding Ukraine), which is a total augmentation of 80%.
using large spam campaigns a direct competitor of the Russian South In response, and after the Crimean war
Stream project. between February and March 2014, the
2013-2014, when it started to target the
energy sector using spear-phishing This competition has shown Russia that European Union and the United States
the European Union is seeking to get rid applied economic sanctions against Russia.
2015-2019, a re-launch of its attacks
of its energy grip. Tension only ceased These are in addition to the decline in
after a break.
with the exhaustion of Nabucco, as Russia European energy demand, competition
International context managed to empty the project's sources with Iran in the gas sector and the global
It must be remembered that these Dragonfly of supply by encouraging Azerbaijan to decline in hydrocarbon prices. All these
Group campaigns take place in a complex turn to South Stream and Turkmenistan factors lead to a contraction in Russian
and turbulent international context. The to China (these two countries were the activity between 2015 (-2.8%) and 2016
years 2000-2010 are marked by the main sources of supply for the project). (-0.2%).
acceleration of the European Union's search At the end of 2013, an Association Agreement Over the entire period covered by Dragonfly's
for alternatives regarding its gas supply is about to be signed between the EU activities, Russia's annual growth rate
sources. Because of the dependence on and Ukraine. As a result, Russia is putting stagnated at just over 0%. The group's
imported Russian natural gas, the Union pressure on Ukrainian President Viktor various stages of activity over the period
is concerned. Yanukovych, who decided on November in question, the choice of targets and the
Between 2010 and 2016, the EU Member 2013 to abandon the project, triggering modus operandi suggest that there is a
States had an average energy dependence Euromaïdan demonstrations and the concordance of interests with the Russian
rate of 53.44% on the rest of the world Ukrainian crisis. On February 22, 2014, State. If DragonFly did not exclusively target
according to Eurostat (with wide disparities the Ukrainian President was dismissed the gas sub-sector, espionage in the energy
between countries). This inability to meet and replaced by Oleksandr Tourtchynov. sector can attest to this convergence.
its consumption needs alone is strategically Ukraine's political change of course in
Russia
Canada
Malwares
Dragonfly initially target defence and
CrackMapExec
aviation companies is the US and Canada
Dorshel
before shifting to US and European energy 2011
Goodor
sector target in 2013. 2010-2013 IKLG (Keylogger)
Changing targets - attacks on the First campaign
against the US and Karagany
energy sector Canda Lightsout exploit kit
Since 2013 it targets energy grid operators, 2012 Listrix
companies related to industrial control MCMD
systems (ICS), major electricity generation Oldrea
firms, petroleum pipeline operators, and ScreenUtil
energy industry industrial equipment providers 2013
and nuclear industries. Dragonfly started to 2013
target the Energy suply chain by targeting Changing Targets: Legitimate software
attacks on the
ICS equipment providers in March 2014 energy sector Angry IP Scanner
with the Havex trojan. It compromised their Inveigh
legitimate softwares which were available 2014 Mimikatz
for download on their websites such as Phishery
the MESA Imaging driver (from the Swiss PsExec
company MESA Imaging), eCatcher (from
the Belgian company eWon) or multiple 2015
Exploited vulnerabilities
softwares from the German company MB
None
Connect Line GmbH.
December 2015 - 2018 - CASTLE
campaign 2016
31
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK6 Cyber Criminal Aviation & Objectives _
76 CROUCHING YETI Defence Espionage
Cyber Terrorist
DRAGONFLY Energy
DYMALLOY Hacktivist
ENERGETIC BEAR State Sponsored
GROUP 24
Unknown
HAVEX
Language
KOALA TEAM Unknown
IRON LIBERTY
TG-4192
Assumed origin of the attacker
Russia
33
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK14 Cyber Criminal Energy & Objectives _
74 BLACK ENERGY Cyber Espionage
Cyber Terrorist
ELECTRUM Sabotage
GREYENERGY Hacktivist
QUEDAGH State Sponsored
SANDWORM
Unknown
TELEBOTS Language
TEMP.NOBLE Unknown
VOODOO BEAR
DESCRIPTION
ATK14 is an attacker group of Russian Origins of the group code for $700. Several actors did use this
origins, active since at least 2008. This The malware BlackEnergy is a malware, malware, continuing DDoS attacks against
attacker is extremely active and competent allegedly created in 2006-2007. It was Georgia. Around 2014, a group created
and is well known for the BlackEnergy used to launch DDoS attacks against SCADA and ICS plugins for BlackEnergy,
campaign as well as the NotPetya campaign. machines. It was used against Georgia in order to target manufacturing and the
We think that this adversary is linked to and Estonia in large campaigns, taking energy sector worldwide. This is the group
the government. down governmental and banking websites. named ATK14.
The attacker reportedly sold the source
Russia
CAMPAIGNS
2011 - 2015 - Operation Potao SCADA systems of their victims, turning 2018 - 2019 - Continuation of
Between 2011 and 2013, a malware substations off. The group also launched campaigns, and links with other
called Potao has been seen geographically a more classic DDoS attacks on the call groups
targeting Russia, Armenia, and Georgia. In centres of the electrical companies in order Samples recovered by Kaspersky and FireEye
late 2013, the malware started shifting its to make them unavailable to customers. suggest an overlap in some infrastructure
focus towards Ukraine, with several samples This attack deprived many persons of of the BlackEnergy and Sofacy group.
targeting this country. Among the victims electricity during up to 6 hours. This attack
is one of the first case of cyber-sabotage In 2019, the group has continued its
from the malware are high prevalence targeting of specific entities, with no
targets, especially since September 2014, of an electric grid and shows the attacker's
determination and competences. specific development. Some campaigns
including the Ukrainian government and started in 2018 might still be in progress,
armed forces.
2016 - Continuing interest in energy, but no new campaign of large size has
2013 - 2014 - BlackEnergy Lite and renewal of the group’s arsenal been detected.
By 2013, the BlackEnergy trojan was still In 2016, we observe a change in the
active and underwent further development. group's arsenal.
2008
This led to the creation of new versions,
December 2016 - Second attack
dubbed BlackEnergy2 and BlackEnergy3. Oct-2008
against Ukraine’s power grid
Using this family, the group lead campaigns October 2008
that were targeted attack, approximately The 17th December 2016, a new malware 2009 GreyEnergy
at the same time as the Potao malware. strain, called Industroyer/Crashoverride was
discovered. This malware was specifically
As for the Potao campaign, a lot of the designed in order to be able to target 2010
group's victims were in Ukraine (around industrial control systems, and its use lead
50%, the remaining half located in Poland) to a massive power outage in Kiev, that
and were high profile targets such as state lasted around one hour.
organizations and businesses. 2011
35
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK14 Cyber Criminal Energy & Objectives _
74 BLACK ENERGY Cyber Espionage
Cyber Terrorist
ELECTRUM Sabotage
GREYENERGY Hacktivist
QUEDAGH State Sponsored
SANDWORM
Unknown
TELEBOTS Language
TEMP.NOBLE Unknown
VOODOO BEAR
Russia
37
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT 10 Cyber Criminal Defence & Objectives _
73
ATK41 Energy Espionage
CVNX Cyber Terrorist
Financial Services
CLOUD HOPPER Hacktivist
DUSTSTORM Government Agencies
HAPPYYONGZI State Sponsored High-Tech
HOGFISH Unknown Media
MENUPASS Language
POTASSIUM Unknown
RED APOLLO
STONE PANDA
Assumed origin of the attacker
DESCRIPTION
ATK41 (APT10, Stone Panda, CVNX, Happyyongzi) is a threat group that
MenuPass Group, Potassium, Red Apollo, appears to originate from China and has
Hogfish, Cloud Hopper, DustStorm, been active since approximately 2009.
CAMPAIGNS
Jan-2010
Dust Storm and targeted at least three American 2010
Dust Storm
A long-standing persistent threat targeting and European companies. Among these
numerous major industries spread across companies are IT and business cloud services
2011
Japan, South Korea, the United States, managed service provider (MSP) and Visma,
Europe, and several other Southeast a billion-dollar Norwegian company with
Asian countries has been discovered. This at least 850,000 customers globally, an 2012
personalities Jan-2016
In 2017, APT10 has compromised
A new APT10 campaign was detected and MenuPass
manufacturing companies in India, Japan 2016
Operation: APT10
blocked in 2018. The latter was aimed at expands its
and Northern Europe, but also mining operations
the Japanese media sector.
companies in South America and finally 2017
multiple IT service providers across the APT10 targets government agencies Nov-2017
world. FireEye believes these companies in the Philippines and Southeast Asia Cloud Hopper: a
targeted APT10
and industries are not all final targets but At the end of April, a new activity of the
2018 Jan-2018
campaign
sometimes only organizations that could APT10 group was detected. The sample
APT10: campaign
against Japan -
provide a foothold. analysed comes from the Philippines, it is North-Korea and
2019
South-America Apr-2019
Cloud Hopper: a targeted APT10 likely that other Southeast Asian countries personalities APT10 targets
government
campaign were targeted. agencies in the
2020 Philippines and
Between November 2017 and September Southeast Asia
China
39
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT40 Cyber Criminal Government Agencies & Objectives _
ATK29 I nternational Espionage
71 Cyber Terrorist
LEVIATHAN Organizations
TEMP.PERISCOPE Hacktivist Naval
TEMP.JUMPER State Sponsored
Unknown
Language
Unknown
DESCRIPTION
The TEMP.Periscope or Leviathan group, conclusions that link the group to these two group whose campaigns obey the Chinese
gathered with the TEMP.Jumper group different campaigns and that establish the needs for technological catch-up and
within the ATK29 is a state-owned group Chinese origin of the latter. FireEye links Beijing's diplomatic ambitions. The group
of Chinese origin. Known for these attacks the two groups TEMP.Periscope and TEMP. is always very active and is composed of
on foreign maritime systems to extract data Jumper definitively in a report published competent people. Its arsenal is composed
necessary for the development of Chinese in March 2019. Since March 2019, there of many tools, which are regularly changed.
navy skills, as well as for its geostrategic has been a paradigm shift and a change It is quite reactive and has, in the past,
use in the context of the “New Silk Roads” in the target group. Thus, while the group used security vulnerabilities only a few
project. This group also campaigned had mainly targeted maritime companies days after their publication. Many of the
against the Cambodian government in in order to catch up with the Chinese tools used by this group are also used by
the general elections of 29 June 2018. Navy, it is increasingly targeting political other Chinese state attackers, suggesting
The infrastructure used in this attack organizations in Southeast Asia. The purpose exchanges of skills and tools between
shares many similarities with that used in of these Espionage actions is to support different sections. In addition, the group
campaigns against the maritime domain. the Chinese Silk Roads project on freight shared its infrastructure with another group
These similarities allow us to reinforce the transport infrastructure projects. ATK29 is a of Chinese attackers, Hellsing.
CAMPAIGNS
Jan-2014
NanHaiShu Campaign Temp.Periscope Targets Cambodia 2014
Leviathan
Campaign
In December 2014, the Hague Tribunal, The group's activities increased in the
seized of a dispute between China and summer of 2017, and it came back to the
the Philippines over the South China Sea, forefront with new tools. It systematically
rendered its verdict. During these events, the targets naval opponents, particularly in the
activity of NanHaiShu malware was used United States. Another report published in
2015
by China to obtain strategic information July 2018 shows a return to the first targets
Mar-2015
about the dispute. of Attacker 29, the political organizations NanHaiShu
Thus, among these targets are the Philippine of countries in the South China Sea. Thus, Campaign
working in defence as well as research newspapers, such as the Khmer Times, the
institutions in this field. Geographically, Phnom Penh Post or the Cambodia Daily).
Jul-2018
its attacks focus on the United States and
Temp.Periscope
Western Europe, as well as the South Targets Cambodia
China Sea.
China
41
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ANIMAL FARM Cyber Criminal I nternational & Objectives _
ATK8 Organizations Espionage
71 Cyber Terrorist
SNOWGLOBE M
ilitary
Hacktivist M
edia
State Sponsored
Unknown
Language
Unknown
DESCRIPTION
ATK8 (or Animal Farm) is a group of seem to be financially motivated. Another uses have been in order to target various
French origins known for its high-quality more precise indication makes it possible organizations, notably in Syria, Iran and
malware. The group is active since at least to link the group to France. For good Malaysia. More broadly, the group deploys
2009, and some of its malware have been reason, the name “Barbar” given to the its campaigns on a global scale with some
associated with samples from as far as group's spyware echoes a strictly French twenty countries concerned.
2007. The group has been discovered fictional character. Also, the backdoor called The group mostly develops and use espionage
in March 2014 after the publication of “Tafacalou” has a name whose meaning tools, and the way the malware are deployed
a series of slides from Edward Snowden. in Occitan French regional language is to their targets is mostly unknown, though
This group is probably supported by a translated as:" it's gonna get hot" some documents containing zero-day
state-nation, considering the fact that it While the group is not associated with exploits have been used.
uses advanced techniques but does not any campaign in particular, the tool it
CAMPAIGNS
Insufficient information
France
43
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT 27 Cyber Criminal Aerospace & Objectives _
ATK15 Communication Espionage
71 BRONZE UNION Cyber Terrorist
EMISSARY PANDA Naval
Hacktivist
GROUP 35 Defence
HIPPOTEAM State Sponsored Government Agencies
IRON TIGER
LUCKYMOUSE Unknown Manufacturing
TEMP.HIPPO Language
Political Organizations
TG-3390 Unknown
Education
THREAT GROUP-3390
ZIPTOKEN
Assumed origin of the attacker
DESCRIPTION
ATK15 is a cyber espionage group active 2009) likely base in the People's Republic (SWC) and scan-and-exploit techniques
since at least 2009 (first spearphishing of China. The group has a preference to compromise target systems.
spotted by TrendMicro on November 25, for leveraging strategic web compromise
CAMPAIGNS
APT27 Spear Phishing mayor of Shanghai. Other topics outlined
25 November 2009 - 25 January 2011: the attackers' objective to target very 2009
technology, non-profit organizations and changed. After carrying out cyber-espionage Aug-2010
others). exploits, the attackers focused on defence Iron Tiger
and technology-related areas such as operation
APT27 Spear Phishing with corrupted aerospace, energy, intelligence, nuclear
2011
related to Taiwan.
APT27 conducted a strategic web
New spear phishing campaign from compromise (SWC) Apr-2013
2013
APT27 2016: ATK15 conducted a strategic web APT27 spear
phishing with
9 May 2014: Spear-phishing campaign compromise (SWC) on the website of an corrupted
documents related
on government entities. international industry organization that to Taiwan
2014
affected aerospace, academic, media, May-2014
Spear-phishing ontelecommunication technology, government, and utilities New spear
of technology companies organizations around the world. During a Sep-2014
phishing campaign
from APT27
5 September - 12 October 2014: Spear- discrete period of activity, this SWC was used 2015 Spear phishing on
telecommunication
phishing on telecommunication of technology to specifically target Turkish government, and technology
companies. banking, and academic networks. companies
Jan-2016
Iron Tiger operation Operation PZChao 2016 APT27 conducted
a strategic web
APT27 first attacked targets in the education 2017: Operation PZChao, ATK15 infect compromise (SWC)
a decoy to attract politicians who would targeting a national data centre in the
join a demonstration against the former Central Asia.
China
45
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK104 Cyber Criminal Bank & Objectives _
Mummy Spider Financial Gain
70 Cyber Terrorist
TA542
Hacktivist
State Sponsored
Unknown
Language
Unknown
DESCRIPTION
ATK104 is a cybercriminal group responsible Emotet was originally sold on illegal of competent personnel, and Emotet is
for the malware known as Emotet (also markets, it became integrally private in regularly considered as one of the most
known as Geodo). This malware is the 2015, and is therefore operated solely threatening malware for businesses.
only one maintained by the group. While by the group. The group is composed
CAMPAIGNS
Emotet long-running campaigns party malware, especially the Dridex and 2014
Emotet, that was first seen around May Quakbot banking trojans.
2014, was originally designed as a modular Emotet features an email collection and
banking trojan. Its shared code with templating engine, which allows it to send
another banking trojan, Feodo. The group emails on the behalf of its victims in order
did however add features and improve to spread further.
already existing code. Since 2016, the tool mainly acts as a
In its first campaigns, Emotet was bundled loader, that deploys another malware.
with a banking module targeting Germany In 2018 for example, the group mainly May-2014
and Austria. deployed TrickBot to its victims, which in Emotet long-
running campaigns
The second version of Emotet, discovered turn has been seen distributing ransomwares
in fall 2014 made use of the Automatic such as Ryuk.
Transfer System, had a spamming module, Emotet uses a C&C infrastructure composed
a DDoS module and was able to steal of Tier 1 C&C and Tier 2 C&C, the first
data from address books. ones acting as proxies to the second ones.
A third version, that appeared in January This makes its architecture reliable, and
2015 was stealthier, and included a hard to take down. In June 2019, Emotet
banking module for Switzerland. C&C servers became unavailable, another
period of inactivity from ATK104, possibly
The group is known for being extremely
for infrastructure upgrade. The servers
active for few months before stopping the
came back online on August, the 22nd
spread of the malware for long periods.
2019, using the same binaries that before. 2015
Indeed, after a 10-month break, the group
came back in December 2016.
In this fourth iteration of Emotet, the group
made use of the RIG exploit kit for ensuring
its spread. The group used third-party tools
integrated into modules for this campaign,
which allowed the group to distribute third
Unknown
47
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT-C-35 Cyber Criminal Aviation & Objectives _
ATK11 Embassies Espionage
69 Cyber Terrorist Energy
CHINASTRATS T
heft of sensitive
DROPPING ELEPHANT Hacktivist Financial Services
documents
Government Agencies
MONSOON State Sponsored Military
PATCHWORK N
on-governmental
Unknown
QUILTED TIGER organizations Language
SARIT Political Organizations English
SECTORE02 Public sector
Software
Assumed origin of the attacker
DESCRIPTION
Patchwork is a cyber espionage group goal seemed to be the surveillance of Multiple articles showed similarities between
active since at least 2010. One of its targets of national security interests for Patchwork behaviours and other groups':
specificity is the use of code copy-pasted India such as Pakistan or the Nagaland Confucius, Bahamut, Donot Team or
from multiple online forums combined movement. This group was involved in the BITTER APT, but there is no definitive
with high quality social engineering. It MONSOON campaign targeting multiple conclusion as to whether these groups
started by the Operation Hangover which Indian neighbour in various sectors. are the same or not.
CAMPAIGNS Jan-2010
2010
Operation
Hangover
2010 - Operation Hangover 2016 - 2017 - Spear-phishing
The operation Hangover started in 2010 campaign spreading BADNEWS
2011
and is the first operation which can be During these two year the Patchwork
attributed to the Patchwork APT. This group send multiple spear-phishing lure
campaign targeted Indian national security documents related to the Pakistan Army,
2012
interests but also Telenor, a Norwegian the Pakistan Atomic Energy Commission,
telecom company. as well as the Ministry of the Interior to
spread their BADNEWS backdoor.
March - May 2015 - Targeted 2013
Mar-2018
2018
Spearphishing
campaign against
US think tanks
India
49
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT 38 Cyber Criminal Financial Services & Objectives _
ATK117 Media Financial Gain
69 Cyber Terrorist
BLUENOROFF
STARDUST CHOLLIMA Hacktivist
State Sponsored
Unknown
Language
Unknown
DESCRIPTION
The Unit 180 is the Noth Korean Unit in APT38 has a complete arsenal of malwares Strategic Context
charge of obtaining funds for the cyber and tools using defense evasion techniques The report from the UN Security Council
activity and for the Noth Korean regime. and false flags (use of some poorly translated said that North Korea is carrying out
This activity exists since at least 2014 Russian language in some malwares, re- “widespread and increasingly sophisticated”
and seems to have been increasing since useage of known malwares). It is possible cyberattacks and estimates that North
North Korea has been subject to severe that these malwares were developped Korea has generated $2 billon.
financial sanctions due to the development by another Unit (such as Unit 31), these
As a reminder, since 2009, relations
of new weapons. The economic pressure techniques could be used by other North
between the West and North Korea have
on Pyongyang leads the North Korean Korean groups. Despite this arsenal,
oscillated between tension and calm, while
government to find new ways to obtain APT38 uses Live-of-the-Land tools when
the latter is under embargo and stuck by
funding. it is possible. They put an effort into
the throat. To calm its enemy, the United
APT38 is a North Korean financially motivated discovert the targeted environment and
States provided food aid in exchange for
threat group who developed multiple ways maintain acces as long as possible while
a restraint effort. Despite this, aid is not
to steal money from the targeted attacks staying undeteced unitil they reach their
sufficient, and Korea has no choice but to
on banks and cryptocurrency exchanges goal. FireEye estimate that they stay in a
reiterate its pressure through missile fire or
to the spreading of ransomwares. This victim network approximately 155 days.
through dangerous barter. For example,
group seems to be learning about financial Since 2018 the group gone from stealthy for decades North Korea has traded arms
transaction in 2014 and developed a to noisy using the destructive KillDisk with countries such as Syria, Iran, Congo,
SWIFT malware in 2015. From 2014 to malware as a distraction tactic while they Burma, Eritrea and Yemen in exchange
2017 they mostly target organizations are targeting the SWIFT network to initiate for food. The cyber tool is suitable in this
from Southeast Asia and expand to South malicious transations. respect since it allows profits to be made
America and Africa in mid-2016. They We suspect the Unit 180 to be source with relative discretion.
also targeted Europe and North America of the WannaCry ransomware in 2017.
from October 2016 to October 2017.
North Korea
CAMPAIGNS
February 2014 - Attack of the and more generally all versions prior 2014
Feb-2014
Southeast Asian bank to Windows 10 that had not performed Attack of the
APT38 targeted the Southeast Asian security updates, in particular that of March Southeast Asian
bank
bank using the malwares NESTEGG and 14, 2017 (security bulletin MS17-010).
KEYLIME which were specifically crafted This cyber-attack is considered to be the
to impact financial systems. During this biggest ransom piracy in the history of the
attack APT38 seemed to be still learning Internet, with the European Police Office
about various systems related to financial Europol describing it as "unprecedented".
transactions. Among the most important organisations
affected by this attack are the companies 2015
December 2015 - Attempted heist Vodafone, FedEx, Renault, Telefónica,
at TPBank the National Health Service, the Centre
The Vietnamese bank TPBank blocked $1.36 Hospitalier Universitaire of Liège, the
of SWIFT transfers in December 2015. Russian Ministry of the Interior and the
January 2016: Multiple international Deutsche Bahn.
bank heist O c t obe r 2 017 - Fa r E a s t e r n
February 2016 - Bangladesh bank International Bank heist Dec-2015
heist January 2018 - Attempted heist 2016
Attempted heist at
Jan-2016 TPBank
In February 2016, APT38 initiates thirty-five at Bancomext Multiple
fraudulent transactions worth $851m. While In January 2018, APT38 attempted to steal international bank Feb-2016
heist Bangladesh bank
most of them were blocked or recovered, $110m from the Mexican commercial heist
$81m were successfully transfered to the bank Bancomext. The operation failed
Philippines, laundered through casinos but APT38 used a wipper called KillDisk
and transfered to Hong Kong. to cover their tracks. Oct-2016
October 2016 - Watering hole attacks April 2018 - Attack on three Mexico
Watering hole
attacks on
on government and media sites banks government and
2017 media sites
2019
51
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT 38 Cyber Criminal Financial Services & Objectives _
ATK117 Media Financial Gain
69 Cyber Terrorist
BLUENOROFF
STARDUST CHOLLIMA Hacktivist
State Sponsored
Unknown
Language
Unknown
North Korea
53
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 88 Cyber Criminal Energy & Objectives _
FIN6 Hospitality Organizational-gain
68
Cyber Terrorist
SKELETON SPIDER Retail
TAG-CR2 Hacktivist
State Sponsored
Unknown
Language
English, Russian
DESCRIPTION
FIN6 is a cybercrime group active since recent years, and subsequently found to companies that have many transactions.
at least 2015 and focuses mostly on the be sold on the dark web. Furthermore, in Therefore, most of their activity is against
financial sector. Their claim to fame is some cases, if they are unable to steal this victims in the US and Europe. Of note,
in attacking Point-of-Sales and stealing data, they move to target card-not-present since mid-2018, it was spotted that the
credit card data from them. Millions of (CNP) data. They usually use specifically group has started to deploy ransomware
cards were stolen using this method in POS malware, and their victims are from on non-Ecommerce networks.
CAMPAIGNS
2015 September 2018
FIN6 had aggressively targeted and The group was found to use the same 2015
compromised point-of-sale (POS) system, TTP as in the original campaign that was 2015
FIN6 had
resulting with stealing of millions of credit recognized in 2016, however this time aggressively
cards. In this case, most of the cards were it used WMIC to execute power shell targeted and
compromised
stolen using the GRABNEW malware, which commands and scrips automatically. The point-of-sale
2016
after lateral movement let to downloading victims in this case were point of sale Jun-2016
of POS malware called AbaddonPOS. systems in the USA and Europe. FIN6 were
able to deploy
Following the successful stealing, the cards
were posted on Dark Web marketplaces Since July 2018 - ongoing FrameworkPOS
to steal over 300
credit card records
that specialize in credit cards, which The group has started to deploy ransomwares from two victims
2017
continued for several months until the on non-ecommerce networks, and especially
victims’ networks were clean. Ryuk and LockerGoga ransomwares. At the
beginning they attacked an Internet-faced
June 2016 system, and then used stolen credentials
July-2018 Sep-2018
FIN6 were able to deploy FrameworkPOS to move laterally through the system. 2018 The group has The group was
to steal over 300 credit card records vvstarted to deploy found to use the
from two victims, namely a SMB based in End of 2018 ransomwares on same TTP as
non-ecommerce in the original
Honolulu Hawaii, and another based in The group send malicious documents with networks campaign that
was recognized
Chicago. This campaign is not widespread a link to malicious server that allowed the in 2016
is in their other campaigns. execution of PowerShell scripts to multiple 2019
End of 2018
high value ecommerce merchants which The group
send malicious
gave them access to their internal network. documents with
a link to malicious
server
Unknown
55
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK113 Cyber Criminal Entertainment & Objectives _
FIN8 Food and Agriculture Financial Gain
68
Cyber Terrorist
Healthcare
Hacktivist
Hospitality
State Sponsored Retail
Unknown
Language
Unknown
DESCRIPTION
FIN8 is a financially motivated group spearphishing campaigns using the
targeting the retail, hospitality and downloader PUNCHBUGGY and POS
entertainment industries. The actor had malware PUNCHTRACK.
previously conducted several tailored
CAMPAIGNS
ATK113 (FIN8)targets retail, restaurant ATK113 targets hotel-entertainment 2016 Mar-2016
threat actor launched several tailored spear sophisticated variant of the ShellTea/
phishing campaigns primarily targeting the PunchBuggy backdoor malware that 2017
2019 Mar-2019
ATK113
targets hotel-
entertainment
industry
2020
Unknown
57
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT-C-23 Cyber Criminal Administration & Objectives _
ATK 66 Defense Ideology
Cyber Terrorist
67 ARID VIPER Education
BIG BANG APT Hacktivist
Government Agencies
DESERT FALCONS State Sponsored Media
TAG-CT1
Unknown Military
T
WO-TAILED Language
SCORPION Political Organizations
Arabic
Transportation
DESCRIPTION
APT-C-23 is commonly considered an APT the first attacks were detected in the wild. Arabic speakers from the Middle East.
group linked to the Hamas organization By examining the group’s victims and According to Kaspersky, at its origins,
ruling the Gaza Strip. Reportedly, the its TTPs, it is apparent the group mainly APT-C-23 consisted of 30 members working
group was established in 2011, but attacks targets related to the Palestinian in three teams and operating mainly out
became active starting from 2014, when Authority. APT-C-23 members are native of Palestinian Territories, Egypt and Turkey.
CAMPAIGNS
2015
2015 - Operation Arid Viper Windows systems and two for android 2015
Operation Arid
A targeted campaign against targets in systems. To infect users, the group used Viper 2015
Israel from the government, defense, both spear-phishing and fake news websites Operation
Advtravel an
transportation, critical infrastructure and while exploiting shorten URL services. offset of Arid Viper
campaign
academia sectors. The group mainly used 2016
2018 - GnatSpy Campaign Targets
spear-phishing email with a compressed
the Palestinian Authority
.RAR attachment including a decoy file
and the malware (using Skype icon and A mobile malware campaign distributing
2017
name in some cases). After a successful the GnatSpy strain. 2017 KASPERAGENT/
Micropsia Malware
infection the group had used its access 2018 - Big Bang Campaign A highly Campaign
to steal documents. targeted malware (infostealer)
2015 - Operation Advtravel an offset campaign against the Palestinian 2018
GnatSpy Campaign
of Arid Viper campaign. Authority. 2018
Targets the
Palestinian
Using some of the same infrastructure to 2019 - New Micropsia Campaign; 2018 Authority
Big Bang
attack victims mainly in Egypt A campaign spreading the Micropsia Campaign A highly
targeted malware
2017 - KASPERAGENT/Micropsia malware, first discovered in the group 2019 (infostealer)
2017 attack campaign. In the current campaign against
Malware Campaign the Palestinian
campaign the group used a decoy document Authority. 2019
A malware campaign against targets in allegedly sent from the general security New Micropsia
United States, Israel, Egypt and Palestinian wing of the Hamas, and discusses alleged
Campaign
Territories. The threat actors used four financial deviations spotted among high
2020
Gaza Strip
59
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 126 Cyber Criminal End Users & Objectives _
Clement02 Personal-gain
Cyber Terrorist
67 Clem02100
Clement02100 Hacktivist
JiiN State Sponsored
JiiN02100
Unknown
Sparks™
Language
TAG CR9
English
DESCRIPTION
JiiN is a top member of a hacking forum that these regularities in JiiN’s activity for his malware projects, and therefore
we monitor, where he has been active patterns might indicate he works office enjoys a very positive reputation in the
since July 2, 2010. Since that time, he hours and engaging in cybercrime is his underground community. Since 2017,
has created 65 threads and 1,028 posts main occupation. A review conducted the threat actor has advertised three main
under two different pseudonyms (JiiN and on his copious publications revealed products, which are also offered for sale
Clement02). The analysis we performed that JiiN is a fervent gamer, as well as on a popular e-commerce platform in
on JiiN’s activity on the forum shows he is a malware developer. The threat actor the Clearnet: MinerGate Silent Miner,
generally online seven days a week, from has been mainly advertising “crypters” Coak Crypter, and NiiJ Stealer. The three
1:00 to 13:00 UTC/GMT+0 (twelve hours (software used for obfuscating other malware strains are still up for sales to
on average), and he is likely a French malware in order to evade detection) and the time of writing. Moreover, we have
speaker (in an early post, he saluted other cryptocurrency miners since his early stages also retrieved and analyzed an allegedly
French members) but interestingly, refrains in the cybercrime underground. Of note, unknown malware we dubbed Cassandra
from writing posts in French. We assess JiiN regularly receives positive feedback Stealer from a domain under JiiN’s control.
France
CAMPAIGNS
February 2013 - BlackShades RAT October 2017 - Minergate Silent 2013
Campaign Miner Sales Operation Feb-2013
BlackShades RAT
In a 2013 forum post, JiiN admits spreading On October 25, 2017, JiiN created his campaign 2013
the Blackshades RAT via Torrent, after first malware listing for his self-developed Cryptomining
crypting the malware with several crypters cryptominer, named Minergate Silent campaign
about the low infection rates gained with the Minergate pool. Ostensibly, more
through this spreading method. than 200 customers bought the malware
in the past two years now, releasing very 2014
Moreover, JiiN was observed spreading RATs NetWire RAT
banded with FlashPlayer via weaponized positive feedbacks, both about the product campaign
Allegedly, he has done so by using the On July 26, 2019, JiiN created a sales
Triplemining pool because of its loose thread for his new infostealer, named NiiJ
oversight for illicit activity. Stealer (V1.5), in the market section of
Oct-2017
a prominent English-language hacking
Of note, infecting computers for cryptomining forum. Of note, JiiN also sells the malware
Minergate Silent
Miner Sales
purposes has apparently been a mainstay on an e-commerce platform broadly used operation
of JiiN’s criminal activity. In this regard, for illicit purposes. We also detected a 2018
he even developed his own cryptominer, proprietary website JiiN uses for advertising
named “Minergate Silent Miner,” put up his malware. NiiJ Stealer is written in .NET,
for sale in October 2017. There is also and its key function is to steal information
evidence that JiiN has been partnering Aug-2018
from three distinct browsers (Firefox, Coak Crypter Sales
with other threat actors for spreading Chrome, Opera), the FileZilla open FTP operation
cryptomining malware. client, and the Pidgin chat client, in addition
2019
2014 - NetWire RAT Campaign to implementing the No-IP dynamic DNS
service. The threat actor offers a lifetime
JiiN was noted using NetWire RAT in
license, which includes the malware builder
mid-2014, even asking for help solving
and the PHP/SQL files related to its control Jul-2019
technical issues he encountered. Of note,
panel (CP), for US$ 35. Based on the NiiJ Stealer Sales
together with cryptomining, RATs spreading operation
results of the AV scanning uploaded by
have been a staple of the threat actor
JiiN in the sales thread, as at August 7, 2020
illicit activity since the beginning of his
2019, NiiJ Stealer was undetected (FUD)
cybercriminal “career.”
by major AV software.
61
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 126 Cyber Criminal End Users & Objectives _
Clement02 Personal-gain
Cyber Terrorist
67 Clem02100
Clement02100 Hacktivist
JiiN State Sponsored
JiiN02100
Unknown
Sparks™ Language
TAG CR9
English
France
63
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK51 Cyber Criminal Defence & Objectives _
MUDDYWATER Education Espionage
MOBHAM Cyber Terrorist
66 Energy
NTSTATS Hacktivist Financial Services
POWERSTATS
State Sponsored Government Agencies
SEEDWORM
STATIC KITTEN Healthcare
Unknown
TEMP.ZAGROS High-Tech Language
I nternational Unknown
Organizations
Media
Assumed origin of the attacker
DESCRIPTION
AATK51 attacks are primarily against India and the USA. MuddyWater attacks broad scrutiny and reports on MuddyWater
Middle Eastern nations. However, we have are characterized by the use of a slowly attacks, the activity continues with only
also observed attacks against surrounding evolving PowerShell-based first stage incremental changes to the tools and
nations and beyond, including targets in backdoor we call “POWERSTATS”. Despite techniques.
CAMPAIGNS
MuddyWater targets Middle East, Victims also include Middle Eastern analysis of another campaign that bore the
USA and India universities and Middle Eastern embassies hallmarks of MuddyWater. Instead of using
The attackers behind MuddyWater have based in Europe. government or telecommunication-related
been active throughout 2017, with targets Finally, two large NGOs were compromised documents, the new lure is presented as a
across the Middle East and surrounding as well as victims working for global public reward or promotion, which could indicate
areas. The countries targeted were Saudi health organizations. that the targets are no longer limited to
Arabia, Iraq, Israel, United Arab Emirates, specific industries or organizations.
Georgia, India, Pakistan, MuddyWater Operations in Lebanon
and Oman 2017
Turkey and the USA. Feb-2017
At the end of 2018 ATK51 targeted victims, MuddyWater
ATK51: Seedworm’s Powermud probably from Lebanon and Oman, while targets Middle East
- USA and India
backdoor campaign exploiting compromised domains, one of
The Seedworm campaign (ATK51) took which belongs to an Israeli web developer. May-2017
place between the end of September Depending on each sample, the content of After MuddyWater
- ATK51 led a
2018 and mid-November of the same the document is either a false curriculum new and broader
campaign in early
year. In all, 131 victims were infected vitae or a letter from the Ministry of Justice 2018
with Powermud Backdoor according to in Lebanon or Saudi Arabia.
Symantec. They were mainly in Pakistan ATK51 updates its TTP in Spear
and Turkey. There are also organizations
Phishing Campaign to target Asia
that have been victims of this Backdoor in
and Middle East 2018 Feb-2017
Russia, Saudi Arabia, Afghanistan, Jordan ATK51 updates
and other countries. From January 2018 to March 2018, its TTP in Spear
Phishing Campaign
FireEye observed ATK51 (MuddyWater) to target Asia and
European and North American organizations leveraging the latest code execution Middle East
have also been compromised. Their and persistence techniques to distribute
common denominator being their link malicious macro-based documents to
with the Middle East. individuals in Asia and the Middle East.
Among the sectors affected are From January 23 to February 26, 2018: Sep-2018 Sep-2018
telecommunications and IT services. Turkey, Pakistan, Tajikistan. ATK51: MuddyWater
There are also victims in the oil and gas Seedworm's
Powermud
Operations in
Lebanon and
sector, more specifically companies linked From February 27 to March 5, 2018: backdoor campaign Oman
Iran
65
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 67 Cyber Criminal Financial Services & Objectives _
COBALT GROUP High-Tech Personal-gain
Cyber Terrorist
66 COBALT GANG Media
COBALT SPIDER Hacktivist
Retail
GOLD KINGSWOOD State Sponsored
TAG-CR3
Unknown
Language
Russian
DESCRIPTION
Cobalt group is considered to be a highly first spotted in 2016 in an attack against tools developed in house. Furthermore,
advanced financial actor. The group targets a bank in Russia and while the group part of the group tactics is to attack the
come mostly from the financial sector with leader was arrested in Spain the group supply chain of its targets.
a strong focus on banks and ATM services is still considered to be active. The group
in Eastern Europe and Asia. Cobalt was uses a variety of attack tools including
CAMPAIGNS
Jun - August 2016 - Attacks Against 2018 - Spear Phishing Campaigns 2016
Spain Ukraine
67
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT 37 Cyber Criminal Aerospace & Objectives _
ATK4 Chemical Espionage
Cyber Terrorist
66 GROUP 123 Healthcare
OPERATION DAYBREAK Hacktivist
High-Tech
OPERATION EREBUS State Sponsored Manufacturing
REAPER
Unknown Transportation
RED EYES
Language
RICOCHET CHOLLIMA
Korean
SCARCRUFT
DESCRIPTION
APT37 (aka Group 123, Reaper, Scarcruft) primarily the South Korean government, group can incorporate recently disclosed
North Korean is a cyber espionage group military, defense industrial base, and media vulnerabilities in their toolset. It can
active since at least 2012. This group sector, APT37 switch to more international be explained with the collaboration of
targets the public and private sector mostly targets with new attacks against the Middle different Unit within the North Korean
in South Korea. FireEye judge that the East, Japan and Vietnam. These new targets Reconnaissance General Bureau.
primary mission is to covert intelligence are all related to North Korean interests. APT37 uses a C2 infrastructure composed
gathering in support of North Korea's This group use spear phishing, Strategic of compromised servers, messaging
strategic military, political and economic Web Compromises or torrent file-sharing platform, cloud services and social medias
interest. This threat actor is skilled and as initial infection vector. From 2014 to to communicate or deploy its malwares
resourceful. 2017 their lure documents were written in and avoid detection. The small websites
By its focus on South Korean targets this Korean and were related to theme relative that were leverage were probably victims
group can be compared to the Unit 91 to the Korean peninsula. It uses various of opportunistic attacks.
who has similar objectives. legitimate platform as C2 and has access
While from 2014 to 2017, APT37 targeted to multiple 0-days vulnerabilities. The
North Korea
CAMPAIGNS
August 2016 - March 2017 - Golden November 2017 - North Korean 2016
APT37 targets South Korea using spear- a lure document about an analysis of
phishing emails allegedly sent by Korean the 2018 New Year speech made by the
Ministry of Unification. The useage of leader of North Korea alleged to have been Nov-2016
Hancom Hangul malicious documents written by the Ministry of Reunification. This Evil New Year
campaign
reduce the risk of being detect by security is the same method used one year earlier. 2017
tools. The lure documents were about New
Year's activities of North Korea. These September 2018 - ScarCruft target
documents dropped binaries which tries to a Russian organization related to
connect to the Korean Government Legal North Korean affairs May-2017
Services (KGLS) compromised website. On September 21, 2018 ScarCruft attack APT37 targets a
Middle Eastern
During this campaign, the reconnaissance a Russian victim who was compromised by company (Freemilk
phase was separated from the DOGCALL/ the APT group called DarkHotel in March campaign)
ROKRAT payload. 2018. The fact that this victim visits North
Korea makes its special and suggests that
May 2017 - APT37 targets a Middle it may have valuable information about
Easterncompany (Freemilkcampaign) North Korean affairs. APT37 and DarkHotel
In May 2017, APT37 used spear phishing are both Korean speaker but seems to be
lure against a board member of a Middle in conflict. There are some overlap in their Nov-2017
Eastern financial company exploiting CVE- victimology, but they use different TTP and North Korean
Humain Rights
2017-0199 which was disclosed recently. tools. It is not impossible that one of these Jan-2018 campaign
2018
The targeted company was involved in North group is regularly watching the other. Evil New Year
2018 campaign
Korean affairs and was attacked quickly
after media reported on the termination
of their collaboration. APT37 used the
malware SHUTTERSPEED/Freenki.
Sep-2018
ScarCruft targets
a Russian
organization
related to North
Korean affairs
2019
69
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT 37 Cyber Criminal Aerospace & Objectives _
ATK4 Chemical Espionage
Cyber Terrorist
66 GROUP 123 Healthcare
OPERATION DAYBREAK Hacktivist
High-Tech
OPERATION EREBUS State Sponsored Manufacturing
REAPER
Unknown Transportation
RED EYES Language
RICOCHET CHOLLIMA
Korean
SCARCRUFT
North Korea
71
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 86 Cyber Criminal Financial Services & Objectives _
SILENT GROUP Government Agencies Organizational gain
Cyber Terrorist
65 TAG-CR8
Hacktivist
State Sponsored
Unknown
Language
Russian, English
DESCRIPTION
Silence Group is a Cybercrime group that group has shifted to attack banks all over downloading additional tolls, track victims
has been active since the end of 2016 the world such as in East Asia, Europe and more. A few versions of the toll were
and has attacked mostly banks all over the and more. The group is known for their found, and it has shown that the group is
world. The group is believed to be from sophisticated and profound attacks, in continuing to enhance them. Furthermore,
a Russia, because most of their attacks which usually they take a long period the group uses malwares to attack ATMs
(at least at the beginning), were directed of time to study the potential victim, to specifically, such as Atmosphere. Through
against banks from Russia and former maximize the attack against them. In this, the group was able to steal millions
Soviet Union counties. Furthermore, they most cases, Spear-phishing emails were of dollars in cash along the years, mostly
used very high level of Russian in their sent to bank employees, while having from banks in Russia, and Eastern Europe.
phishing emails, and it was found that a malicious file attached to them. This Overall, the group continues to be highly
some of the commands of their tools were usually downloaded the Silence Trojan active, and new campaigns were uncovered
in Russian. However, along the years, the that has many capabilities of stealing data, just in the past few months.
CAMPAIGNS
July-August 2016 - Silence targets January 2018 - February 2018 - cyber-security defenses. The campaign was
the Automated Workstation Client Attacks against financial institutions launched against south Asian countries
of the Russian Central Bank Financial institutions in the UK, India and (Taiwan, Malaysia, and South Korea),
The group gained access to the Automated Russia were attacked, and funds were stolen former Soviet Union countries (Kyrgyzstan,
Workstation Client of the Russian Central from most of them. The attack in most Kazakhstan, and Ukraine) and European
Bank (AWS CBR), which enables to transfer cases used malicious word documents. (mostly British). In most cases, the victims
funds between Russian banks. The station that received the phishing emails were
February - April 2018 - Attacks banks employees.
was located in part of a Russian bank, and
through there the group tried to steel funds. against Russian and Eastern European
banks June 2019 - July 2019 - Silence
However, the attack was thwarted by the targets banks using the EDA trojan
bank itself because of improper preparation As part of two attacks against Russian
and Eastern European banks, hundreds The group attacked banks in Russia Chile,
of the payment order. A month later, the
of thousands of dollars were stolen. In the Bulgaria, Costa Rica and Ghana. In some
group gained access to a server of the
first case, more than half a million dollars of these attacks the EDA Trojan was used.
same bank, and this time downloaded a
software that takes screen-shoots, which we stolen through card processing. The March 2019 - May 2019 - ATM
were sent to the attackers. Also, in this second one they stole about 150,000 attacks
case the attack was stopped before any dollars after they used their own tool on
At the end of May 2019, a few individuals
valuable information was stolen. ATMs to steal the funds.
stole large amounts of money from an
September 2017 - Silence targets May 2018 - October 2018 - Spear- AMT of Bangladeshi bank Dutch-Bangla
banks phishing campaigns against banks in a few separate days. Two possibilities
in Russia were raised how it is possible: by using
Targeted attack was launched against
2018 Emails with malicious Word the Atmosphere Trojan that was previously
banks in Russia, Malaysia and Armenia.
attachments. Emails were sent to banks deployed on the attacked devices or
In this case the group gained access to
in Russia, which included the CVE-2017- through card processing mechanism. Of
the internal networks of the banks, and
11882 vulnerability to install the Silence note, two other Bangladeshi banks (NCC
then studied their day to day work. This
Trojan. The first attack was against Russian Bank and Prime Bank) were also attacked
stage was in order to create a very focused
banks, and the second was against a at the same time, but they were able to
attack, which will make it more successful.
bank in India. thwart the attack against eventually.
The group has also used spear phishing
emails with malicious attachments to
October 2018 - January 2019 - June 2019 - July 2019 - Attack of
compromise the victims.
Reconnaissance campaigns against the Russian IT bank
October 2017 - Silence Group banks At the beginning emails with a malicious
attacked ATMs attachment that looked like invitations to the
The group launched a three reconnaissance
International Financial Forum iFin-2019,
Silence Group attacked ATMs and stole campaigns against banks in different
were sent to employees of the Russian IT
hundreds of thousands of dollars from a areas. As part of the campaigns, tens of
bank. The email contained a ZIP archive
Russian bank, alongside DDoS attacks thousands of emails were sent to different
attachment that deployed the latest version
against them using IRC channels to control targets with a picture or a link, but without
of the Silence malware.
the Trojans. Of note, even though they had a malicious payload. The purpose of this
access again to the (AWS CBR) system, they campaign was to update their email list
did not try to exploit this system this time. (with the active emails), and to see their
73
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 86 Cyber Criminal Financial Services & Objectives _
SILENT GROUP Government Agencies Organizational gain
Cyber Terrorist
65 TAG-CR8
Hacktivist
State Sponsored
Unknown
Language
Russian, English
75
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT33 Cyber Criminal Aerospace & Objectives _
Aviation
ATK35 Chemicals Espionage
Cyber Terrorist
64 CHARMING KITTEN Communication
Hacktivist Defence
ELFIN Dissident
GROUP 83 State Sponsored Education
Energy
IKITTENS Financial Services
Unknown Government Agencies
MAGNALLIUM
Healthcare Language
NEWSBEEF High-Tech
Manufacturing Unknown
NEWSCASTER
Media
PARASTOO Research
Assumed origin of the attacker
DESCRIPTION
ATK35 is an Iranian cyberespionage group KITTEN reveals this adversary engages in that may not distinguish between the two
operating since approximately 2013. This a level of preparation and patience not groups' activities.
adversary targets organizations involved in often seen with targeted intrusion efforts. ClearSky expose a connection between
government, defense technology, military, This actor will also target third-party Charming Kitten and Behzad Mesri, an
and diplomacy sectors. This adversary has service providers in order to compromise Iranian national indicted for his involvement
been known to leverage fraudulent social organizations of interest. ATK35 usually in hacking HBO.
network profiles to target individuals and tries to access private email and Facebook
By pivoting off the malicious infrastructure
organizations of interest through credential accounts, and sometimes establishes
ClearSky found a sample of MAGICHOUND.
collection and malware infection via an a foothold on victim computers as a
RETRIEVER, a malware which is covered
IRC-based malware variant. The scope secondary objective. The group's TTPs
in a report by Palo Alto Networks about
of elaborate personas and fraudulent overlap extensively with another group,
a group they call Magic Hound.
organizations created by CHARMING ATK26 (Rocket Kitten), resulting in reporting
Iran
CAMPAIGNS
2011-2014 - Operation “Newscaster” 2016-2017 - Operations against
2011 Jan-2011
For three years the group created fake United-States, Saudi-Arabia and 2011-2014
accounts on social networks and a fake South Korea Operation
Newcaster
information website to spy on military and APT33 has targeted organizations – spanning
political leaders in the United States, Israel. multiple industries – headquartered in
The targets include a four-star U.S. Navy the United States, Saudi Arabia and 2012
Admiral, U.S. legislators and ambassadors, South Korea. These organizations are
as well as personnel from Afghanistan, linked to the aviation sector (both military
Britain, Iraq, Israel, Saudi Arabia and Syria. and commercial capacities), as well as
It appears that the attackers were seeking organizations in the energy sector with
authorizations to access government and ties to petrochemical production. 2013
the browsers used by them. In the United States Behzad Mesri has Feb-2016
2016
been accused by the American authorities
2016-2017-Vastespionagecampaign of hacking into HBO's systems and being
NewsBeEF
Operation
Jan-2017
Early 2017
using DownPaper linked to the Charming Kitten group 2017 MacDownloader
The group seems to focus on people of (APT33, Elfin, etc.).
campaign targeting
the defence
interest to Iran in the areas of academic Aug-2017 industrial base
research, human rights and media. The December 2018 - February HBO hacked by
Behzad Mesri
focus is on Iranian dissidents living in 2019 - Attacks against the Saudi linked to ATK35
77
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT33 Cyber Criminal Aerospace & Objectives _
Aviation
ATK35 Chemicals Espionage
Cyber Terrorist
64 CHARMING KITTEN Communication
Hacktivist Defence
ELFIN Dissident
GROUP 83 State Sponsored Education
Energy
IKITTENS Financial Services
Unknown Government Agencies
MAGNALLIUM Language
Healthcare
NEWSBEEF High-Tech Unknown
NEWSCASTER Manufacturing
Media
PARASTOO Research
Assumed origin of the attacker
Iran
79
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK1 Cyber Criminal Communication
& Objectives _
DRAGONFISH Education Espionage
Cyber Terrorist
64 ELISE Government Agencies
LOTUS BLOSSOM Hacktivist
Military
SPRING DRAGON State Sponsored
ST GROUP
Unknown
Language
Unknown
DESCRIPTION
ATK1 (aka Lotus Blossom, Spring Dragon, government organizations, mostly in sporadically until 2018, always using
DragonFish) is a cyber espionage threat Southeast Asia, probably in support of Elise as the main attack vector, and
group which targets countries around the Silk Roads project and securing the sometimes using new exploits, such as
the South China Sea. It was active since maritime face of the project. CVE-2017-11882.
at least 2012 and targets high profile At the end of 2015, Emissary received ATK1 is capable of carrying out very large
governmental organizations and political many updates, probably to avoid detection operations over a long period of time,
parties, universities and telecommunication by security products. After a very active while developing its specific arsenal. These
companies in long term operations. The period, the group remains discreet until early targets are extremely specific, and the
group is of Chinese origin. Using Elise 2017. Other campaigns are conducted group rarely deviates from them.
malware in particular, it spied on many
CAMPAIGNS Jan-2012
Attack against
2012 military and
2012 - Phishing campaign using place between 2012 and 2015. It is governement
targets in Vietnam
a PDF document containing an mainly organized around four countries, Sept-2012 Philippines Hong
Phishing Kong Taïwan and
invitation to a defence event with a dedicated infrastructure for each campaign using Indonesia
In September 2012, a phishing campaign target. The four countries are Vietnam, a PDF document
2013 containing an
using a PDF document containing an the Philippines, Hong Kong and Taiwan invitation to a
Jul-2013
defence event
invitation to a defence event was detected. (same infrastructure), as well as Indonesia. Attack against
Taïwan United-
2013 - Attack against Taiwan, United- 2015 - Emissary Malware used States Canada
and some other
States, Canada and some other against French Ministry of Foreign 2014
countries
countries Affairs
In the second half of 2013, during a new In 2015, the group is particularly active,
campaign, Elise malware was identified and is demonstrating new distribution
methods for its malware, particularly Jan-2015
as part of a larger malware group, called 2015 Emissary Malware
LSudio. This campaign mainly targets using “Water Holes”. The group also used against
Taiwan (nearly 84% of attacks) as well attacked the French Ministry of Foreign French Ministry of
Foreign Affairs
as the United States, Canada and other Affairs and more particularly a diplomat
countries. Governments, electronics stationed in Taipei.
manufacturers and telecommunications 2016
2017 - Elise campaign against its
companies are the first victims. traditional targets in Southeast Asia
Attackagainstmilitaryandgovernment In 2017 AT1 has been running a campaign
targets in Vietnam, Philippines, Hong focused on its traditional targets, government Jan-2017
2017
Kong, Taiwan and Indonesia organizations, academic institutions and Elise campaign
against its
A particularly important campaign takes telecoms in Southeast Asia. traditionnal targets
in Southeast Asia
China
81
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK116 Cyber Criminal Aerospace & Objectives _
CLOUD ATLAS Energy Cyber Espionage
Cyber Terrorist
63 INCEPTION GROUP Government Agencies
Hacktivist
Military
State Sponsored Research
Unknown
Language
Russian
DESCRIPTION
Cloud Atlas is a cyber espionage group working as a chain of proxies to hide the After the Kaspersky disclosure in 2013,
active since at least 2007, focusing on attacker's location. Cloud Atlas is able to the group has been hiding and then
governmental agencies around the world. target mobile devices, network equipment reappeared in 2014 with the “Cloud
This group is known for the Operation Red and removable disk drives increasing the Atlas” malware. This behaviour will be
October targeting governmental agencies quantity of sensitive data accessible. They repeated thereafter in 2014 consecutively
(embassies), research, energy, aerospace use multiples exploits but not 0-days which to a new Symantec publication. The group
and military in a wide range a country, can be interpreted as a lack of resources. improved its C2 infrastructure in 2014
mostly in Russia, Western and Eastern Cloud Atlas created the Inception by using cloud services which have the
Europe, Central Asia, South America framework. A sophisticated framework advantage to not being blacklisted and
and Africa. This group seems to have able to launch multiple modules use encrypted communication protocols.
Russian-speaking origins. allowing the group to adapt to its target. They can also use compromised router
It used a large CnC network of infected This framework is still used in 2019. as proxies to hide their origin.
machines and dozens of domain names
CAMPAIGNS
Jan-2007
2007 - 2013 - Operation Red October October 2018 - Attack against 2007
Operation Red
The Red October is a series of targeted European targets 2008 October
intelligence gathering attacks against Cloud Atlas used a new first-stage PowerShell 2009
diplomatic, governmental and scientific backdoor called POWERSHOWER to 2010
research organizations, mostly located in target European organizations. The lure
2011
Eastern Europe, former URSS members documents are about pollical actualities
Central Asia. 2012
like articles about the situation in Crimea.
2013
2014 - 2017 - Re-emergence of the Jan-2014
Inception Group 2014 Re-emergence
of the Inception
2015
After the disclosures, Cloud Atlas group Group
Unknown
83
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK13 Cyber Criminal Government Agencies & Objectives _
HIPPO TEAM I nternational Espionage
GROUP 88 Cyber Terrorist
63 KRYPTON Organizations
PFINET Hacktivist Political Organizations
POPEYE State Sponsored High-Tech
SNAKE
TAG_0530 Unknown Research
TURLA Defence Language
UROBUROS
VENOMOUS BEAR Aerospace Unknown
WATERBUG
WRAITH
Assumed origin of the attacker
DESCRIPTION
ATK13 (Turla, Uroburos, Waterbug, organizations in multiple waves of attacks alder of the Iranian nuclear agreement,
Venomous Bear) is a cyber espionage and continues to improve its tools. The supported by the former US President.
threat actor active since at least 2008, most recent attack targeted an Iranian It seems that the change in American
when it breached the US Department of APT group called OilRig. diplomatic line since the election of Donald
Defence. ATK13 is a Russian-speaking Turla's attack on one of Iran's most Trump has not diverted Saudi Arabia
group and widely believed to be a Russian successful groups combines opportunism from this alliance. This rapprochement
state-sponsored organization. and international interests. It should be of interests is denounced by Iran, most
In 2015, Kaspersky described ATK13 as recalled that since 2014 and the annexation recently at the OPEC meeting in Vienna
one of the “several elite APT groups have of the Crimea, Western pressures and in July 2019. The reason for the tension
been using — and abusing — satellite the fall of the oil price have plunged is also economic as both countries are
links to manage their operations — most Russia into recession. For this reason, positioning themselves to address the
often, their C&C infrastructure”. Russia has moved closer to Saudi Arabia, European gas market.
During 2018 and 2019, ATK13 continues whose alliance with the United States had
to target governments and international weakened under the Obama era in the
Russia
CAMPAIGNS
2005
November 2008 - Cyber-attack on Turla conducted a watering hole
US Defense Department computers campaigns by targeting embassy
In November 2008, senior military leaders websites
2006
reported the malware breach incident During the 2014 - 2017 period, ATK13
that affected the U.S. Central Command seems to conduct watering hole campaigns
Jan-2005
network, including computers both in by targeting embassy websites as described 2005-2014
the headquarters and in the combat by ESET using the javascript payload 2007
The Snake
zones. The malware used was Agent. ICEDCOFFEE. campaign
creation and the Pentagon spent nearly still embassies and consulates in Eastern Jan-2011
Turla has targeted
14 months cleaning the worm. The US Europe. government
military was not the only victims, indeed 2011
institutions -
the worm spread globally and was still GovernmentsandDefensecontractors military - education
- research and
infecting users in 2013. compromised pharmaceutical
companies in more
In March 2018, the German government than 45 countries
2005 - 2014 - The Snake campaign made a public announcement of its 2012
85
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK13 Cyber Criminal Government Agencies & Objectives _
HIPPO TEAM I nternational Espionage
GROUP 88 Cyber Terrorist
63 KRYPTON Organizations
PFINET Hacktivist Political Organizations
POPEYE State Sponsored High-Tech
SNAKE
TAG_0530 Unknown Research
TURLA Defence Language
UROBUROS Unknown
VENOMOUS BEAR Aerospace
WATERBUG
WRAITH
Assumed origin of the attacker
Russia
87
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 140 Cyber Criminal Administration Hospitality & Objectives _
Aerospace International
Kelvin Security Aviation Personal-gain
Cyber Terrorist Organizations
KelvinSec Team C
asino & Manufacturing Notoriety
62 Hacktivist Gaming Media
KelvinSecteamGobVe Communication Military Ideology
TAG-CR6 State Sponsored Cyber-security
Defense Naval
teamkelvinsecteam Education Pharmaceutical
Unknown Energy P
olitical
F
inancial Organizations Language
Services Research
G
overnment English, Spanish
Retail
Agencies Transportation
Healthcare
High-Tech
Assumed origin of the attacker
DESCRIPTION CAMPAIGNS
Kelvin Security is a South American “blackhat” the government sector. The group specialty June 2015 - University Of Madrid
hacking group, led by an individual are web-based attacks that typically lead Attack
named Kevin Parra. The group is active to data exfiltration. However, the group Kelvin Security claimed responsibility for
since at least 2015 and displays medium also displayed interest in compromising hacking UNIVERSIDAD POLITÉCNICA DE
technical capabilities. The group has a ICS/SCADA systems and medical devices. MADRID (hxxp://www.upm.es/)
vast online presence, both in the Clearnet The group also runs an online shop
(with numerous social media outlets, a (hxxp://ksecureteam[.]com) where they June 2016 - Saudi Arabia Banks
YouTube channel, blogs, etc.), and in Dark offer a variety of hacking-related services Attack
Web forums and markets populated by (malware, exploits, databases, systems Kelvin Security claimed responsibility for
cybercriminals. These outlets are mainly access, etc.), also as a subscription model. hacking Saudi Arabia bank accounts.
utilized for promoting stolen data they sell Alleged Kelvin Security’s members: July 2016 - Miami and Lax Airports
and sharing malicious tools and techniques Kelvin Parra (Venezuela) Rodrigo Alonzo Attack
(usually publicly available). During their Canaza (Peru) Omar Rodriguez (Peru) Kelvin Security claimed responsibility
activity Kelvin Security claimed responsibility Jhonatan James (Colombia) for hacking the Miami and Lax Airports
for hundreds of attacks against almost all
dumping data.
industry verticals, with a particular focus on
July 2017 - Italian Nuclear Institute
Attack
Kelvin Security claimed responsibility for
TOOLS, MALWARES AND VULNERABILITIES hacking the Italian “Istituto Nazionale di
Fisica Nucleare” dumping data.
Malwares Legitimate software
2018 - Venezuelan Government
Custom tools LizardStresser Bot one Identified
N Attack
regimenDDoS Loki RAT
Nmap
Exploited vulnerabilities Kelvin Security leaked PII of Venezuelan
WhatsApp IP Capture Script Government officials, including that of
OutlookLeakTest CVE-2016-0777
Tools used by multiple adversaries President Nicolás Maduro.
PhoneMonitor CVE-2016-8858
KimcilWare Ransomware
PoT CVE-2017-3881 June 2018 - US Aircraft Drone Attack
Publicly available tools QTLJacking Kelvin Security offered for sale alleged
Athena Botnet CVE-2018-10561
RACP top secret documents for Reaper and
BoopSuite Splice-Admin CVE-2018-10676 Predator drones.
Browser-RAT TrojanCockroach CVE-2018-1133
Burp Suite Vanilla RAT
June 2018 - Venezuela’s electoral
Chimay-Red
CVE-2018-20377 system Attack
WES-NG
Chrome Password Dumper cisco-rce CVE-2018-2879 Kelvin Security offered for sale alleged data
Crypter google-drive-exploit CVE-2018-7600 stolen from Venezuela’s electoral system
Dumb0 google_RAT June 2018 - Chilean Oil and Energy
CVE-2019-0708
GPON iGoat-Swift Companies Attack
Hodin RAT CVE-2019-0841
izi-locker Kelvin Security offered for sale access and
Industrial Security Exploitation rdroid CVE-2019-7216
shell for contractors in Chile
Framework snallygaster
Katana Framework vhackos-botnet June 2018 - Security Cameras USA
LSB-Steganography and Mexico Border Attack
LimeRAT Kelvin Security shared for free access
to security cameras between USA and
Mexico Border
June 2018 - Kinder Morgan Attack
Kelvin Security claimed responsibility for
hacking the SCADA system of Kinder
Morgan in Roswell, Nevada
June 2018 - Mexico City Airport August 2018 - CITADEL Stock 2015
Kelvin Security offered for sale an alleged Kelvin Security offered for sale alleged
Colombian Intelligence System Similar to databases of multiple Colombian government
NSA’s XKeyscore websites
July 2018 - Citadel New York Stock January 2019 - Colombian Banks 2017
Aviation Group
Countries Attack 2018
USA and Mexico
border attack
Emirates attack
• Credit Bank
Kelvin Security offered for sale access to 2018 • Kinder Morgan
Venezuelan Colombia users
August 2018 - Credit Bank Colombia 225 ICS from USA, Russia, South Korea, Government attack attack sytem attack
Mexico City airport
Users System Attack Australia, Sweden, France, Germany, • attack
• Movistar Mexico
attack
Kelvin Security offered for sale an alleged and Spain • Bank of • Air Force
Venezuela attack Venezuela
database of Bancoomeva bank
March 2019 - Airbnb Spain Attack • Peru
Transportation
system attack
August 2018 - Movistar Mexico Kelvin Security shared for free alleged Jul-2018 system attack
• Dubai Petroleum
customers attack
Attack databases stolen from Airbnb Spain • Colombian • Citadel stock
Intelligence exchange attack
Kelvin Security claimed to have found System attack
89
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 140 Cyber Criminal Administration Hospitality & Objectives _
Aerospace International
Kelvin Security Aviation Personal-gain
Cyber Terrorist Organizations
KelvinSec Team C
asino & Manufacturing Notoriety
62 Hacktivist Gaming Media
KelvinSecteamGobVe Communication Military Ideology
TAG-CR6 State Sponsored Cyber-security
Defense Naval
teamkelvinsecteam Education Pharmaceutical
Unknown Energy P
olitical
F
inancial Organizations Language
Services Research
G
overnment English, Spanish
Retail
Agencies Transportation
Healthcare
High-Tech
Assumed origin of the attacker
91
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK83 Cyber Criminal Engineering & Objectives _
SectorM04 Healthcare Espionage
Cyber Terrorist
Whitefly Media
61 Hacktivist
Telecommunication
State Sponsored
Unknown
Language
Unknown
DESCRIPTION
ATK83 (Whitefly) is the group responsible database. The Singapore's Committee of conducted multiple targeted attacks against
of the SingHealth breach in between Inquiry described the attacker as skilled, organizations mostly in Singapore into a
August 2017 and July 2018 during which sophisticated and well-resourced with large range of sectors to steal sensitive
1M5 patient medical records have been an extensive C2 infrastructure and the information. Some custom tools used by
acceded and around 159 000 of these capability to develop multiple customised WhiteFly were also used between May
records were exfiltrated, including those and stealthy tools. Whitefly made great 2017 and December 2018 to conduct
of the Prime Minister Lee Hsien Loong (it efforts to stay undetected or, at least, to set attacks against defense, telecom and
should be noted that the Singaporean the attack difficult to attribute. It re-entered energy sectors in Southeast Asia and
Prime Minister has had significant health the network after being detected to delete Russia or the hospitality sector in the
concerns in the past). Whitefly likely systems and program logs. United Kingdom but these attacks may
used phishing to gain access to front- Symantec discovered that this group be launched by groups with access to
end workstation before moving laterally was active since at least 2017 and has the same tools.
to the SCM (Sunrise Clinical Manager)
CAMPAIGNS 2017
Aug-2017
SingHealth cyber
attack
2018
Unknown
93
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 27 Cyber Criminal Defense & Objectives _
DARK CARACAL Education Coercion
Cyber Terrorist
TAG-CT3 Financial Services Ideology
59 Hacktivist Organizational-gain
Government Agencies
Unpredictable
State Sponsored Healthcare
Unknown I nternational
Organizations Language
Unknown
Legal Services
Manufacturing
Media
Assumed origin of the attacker
DESCRIPTION
Dark Caracal is an advanced persistence was traced to the headquarters of the surveillance operation targeting individuals
threat group threat group in activity since General Directorate of General Security, and institutions globally.
January 2012. It is supposedly linked to in Beirut Lebanon. Dark Caracal has been
the Lebanese government since its activity conducting a multi-platform APT-level
CAMPAIGNS
Jan-2012
January 2012 - First Mobile June 2015 - Operation Manul 2012 First Mobile
surveillance Campaign Operation Manul phishing emails first surveillance
Campaign
Named oldb, an android campaign that seen. the campaign included a series of
Nov-2012
included stealing bookmarks and browsing attacks targeting journalists and political 2013 Phishing Campaign
history from web pages. it identified victims activists critical of Kazakhstan’s authoritarian
that were active in political discourse. government, along with their family members,
lawyers, and associates. References were
November2012 - Phishing Campaign found s to Android components found on
2014
Security researches identified four “personas”, the infrastructure built by Dark Caracal.
two phone numbers and two domains
associated with Dark Caracal, all of December 2016 - January 2018 2015
associated with op13@mail[.]com include Caracal has lunched mobile surveillance 2016
Nancy Razzouk, Hadi Mazeh, and Rami campaigns. About 10 campaigns were Dec-2016
Jabbour. All of the physical addresses found in total. Jan-2018
listed in the WHOIS domain registrations 2017
Mobile
Surveillance
associated with op13@mail[.]com tend Campaign
to cluster around the SSID: Bld3F6 Wi-Fi
locations. This is near the General Security
2018
building in Beirut,
Lebanon
95
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT-C-06 Cyber Criminal Administration & Objectives _
ATK52 Defense Espionage
DUBNIUM Cyber Terrorist
DARKHOTEL Government Agencies
59 Hacktivist
FALLOUT TEAM Military
KARBA State Sponsored Political Organizations
LUDER
NEMIM Unknown
PIONEER Language
SIG25 Korean
SHADOW CRANE
TAPAOUX
Assumed origin of the attacker
DESCRIPTION
DarkHotel is a Korean speaking attacker. diplomatic, defense and law enforcement. It certificate, a capacity do develop and use
While some have attributed this attacker to is especially active in the Sea of Japan and 0-days (especially around Flash Player). It
North Korea, notably due to the overlap the East China Sea. Its goal is espionage also has access to an extended network
between the group and ATK4, there is of specific individuals. infrastructure that is reliable, allowing
a consensus linking this threat actor to The group possesses extended cryptographic the group to maintain long-term access
South Korea instead. This actor targets knowledge, that allowed it to create fake to the system.
government entities, especially in the
South Korea
CAMPAIGNS
Jan-2007
Since at least 2007 - Precise attacks Attacks in 2015 - DarkHotel enhance 2007 Precise attacks in
hotels and wide
in hotels and wide spreading through its techniques spreading through
P2P networks
P2P networks In 2015, the group, while continuing to
The group gets its name from the fact that use its old techniques put more emphasis 2008
the group used hotel networks in order on malicious attachments, using HTA files
to infect its targets: The group waits for in order to infect its victims. The group also
the target to connect to the hotel's WiFi used RAR files, containing executable SCR
hotspot. Specific individuals will then be files using the RTLO technique to mask 2009
97
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT-C-06 Cyber Criminal Administration & Objectives _
ATK52 Defense Espionage
DUBNIUM Cyber Terrorist
DARKHOTEL Government Agencies
59 Hacktivist
FALLOUT TEAM Military
KARBA State Sponsored Political Organizations
LUDER
NEMIM Unknown
PIONEER Language
SIG25 Korean
SHADOW CRANE
TAPAOUX
Assumed origin of the attacker
South Korea
99
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK91 Cyber Criminal Energy & Objectives _
TEMP.VELES Unknown
Cyber Terrorist
TRITON GROUP
59 XENOTIME Hacktivist
State Sponsored
Unknown
Language
Unknown
DESCRIPTION
TRITON is an attack framework allowing However, if we look at the sector targeted, denouncing the Iranian nuclear agreement
the manipulation of Security Systems namely oil, we must remember that since and the Gulf crisis of June 2017, which
Industrial Control Systems (ICS) of critical 2014 and the annexation of Crimea, increased tension between the Kingdom
infrastructures discovered at the end of pressure from the West on Russia has been and its Shiite alter ego, weakened relations
2017 when it has caused an accidental added to the fall in world oil prices, which between Russia and the Saudis. After
shutdown of the machines. FireEye has has plunged Russia into a recession. To the meeting of the two leaders and the
awarded the development of TRITON to a stimulate investment, the Kremlin had to attack on Saudi Arabia that paralyzed its
Muscovite research institute linked to the find capital and foreign exchange. oil company, Triton launched new attacks
Russian government. The attacker's tools For this reason, Russia has moved closer in 2018 in the Middle East region and
and TTPs indicate that he has prepared to to Saudi Arabia, whose alliance with the against the United States. Good relations
conduct operations that can last several United States had weakened under the between Saudi Arabia and Russia were
years and require a long preparation. In Obama era in the alder of the Iranian reconfirmed in the second week of June
the 2017 attack, the group compromised nuclear agreement, supported by the former 2018, when Saudi Arabia and Russia agreed
the target's network almost a year before US President. On 1 January 2017, the two to stabilize oil prices at an average level
reaching the SIS (Safety Instrument System). countries decided to reduce oil production of 75 dollars per barrel, while King Ben
During this period, priority seems to have volumes to 1.8 million barrels/day in order Salman and President Putin were meeting
been given to safety operational. His lack to increase the price of black gold. The in Moscow for opening the Football World
of “curiosity” during the operation may attack on Triton at the end of 2017 took Cup, which took place on the 14th.
indicate that the attacker is waiting for place 9 months later, when King Salman It should be noted that according to Dragos,
something before acting visibly. travelled to Moscow (November 2017) the Triton group (Xenotime) is undoubtedly
A particular international context to prepare for the next OPEC+ meeting, one of the most dangerous groups known
which was supposed to lead to a further to date since it attacks industrial security
This initial attack on Saudi interests by a
reduction in production after March 2018. systems almost exclusively with destructive
group whose origin appears to be Russian
Nevertheless, the last 9 months have been intent involving loss of human life.
is taking place in an unusual international
marked by two important events that have
context. It should be recalled that since
redefined everyone's interests.
the end of 2017, Russia and Saudi Arabia
have been moving closer together on the The change in US position in favour of
diplomatic front. Saudi Arabia during the Trump era by
Russia
101
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK91 Cyber Criminal Energy & Objectives _
TEMP.VELES Unknown
Cyber Terrorist
TRITON GROUP
59 XENOTIME Hacktivist
State Sponsored
Unknown
Language
Unknown
Russia
103
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK33 Cyber Criminal Communication & Objectives _
PLATINUM Defence Steal of intellectual
Cyber Terrorist
TWOFORONE properties
Financial Services
58 Hacktivist
Government Agencies
State Sponsored I nternational
Unknown Organizations
Military Language
Unknown
DESCRIPTION
PLATINUM is a cyber espionage group specific governmental organizations, defence custom developed tools which are often
active since at least 2009. Its activities are institutes, intelligence agencies, diplomatic updated to avoid detection. Its backdoors
distinctly different not only from those typically institutions, and telecommunication providers are configured to work during victim's
seen in untargeted attacks, but from many in South and Southeast Asia. The group’s working hours to hide network traffic
targeted attacks as well. A large share of persistent use of spear phishing tactics into the legitimate traffic. The group uses
targeted attacks can be characterized as (phishing attempts aimed at specific compromised infrastructure based in
opportunistic: the activity group changes individuals) and access to previously multiple countries. In June 2018, Kaspersky
its target profiles and attack geographies undiscovered zero-day exploits have made detected an ongoing campaign targeting
based on geopolitical seasons and may it a highly resilient threat. This group does diplomatic, government and military entities
attack institutions all over the world. Like not conduct many infections like as APT1 but conducted by PLATINUM. The group used
many such groups, PLATINUM seeks to focuses on a small number of campaigns a new steganography technique to hide
steal sensitive intellectual property related per year. He often targets private email their communication.
to government interests, but its range of accounts of its victims and use them to
preferred targets is consistently limited to access the organization networks. It uses
CAMPAIGNS 2012
Jan-2012
Platinum:
EasternRoppls
Platinum: EasternRoppls Campaign Campaign
2013
Unknown
105
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK23 Cyber Criminal Aerospace & Objectives _
DAGGER PANDA Defence Espionage
Cyber Terrorist
ICE FOG Government Agencies
Hacktivist
56 High-Tech
State Sponsored Maritime
Unknown
Language
Chinese
DESCRIPTION
Icefog is a Chinese cyber espionage group After the Kaspersky reports from September of the ICEFOG backdoor are used by
active since at least 2011. This group is 2013 and January 2014, the group multiple Chinese groups (APT9, APT15,
described by Kaspersky as “small, which disappeared. In 2015 after nearly a year Goblin Panda and another group name
a relative lack of complexity” but they of silence, new variants of the ICEFOG “Temp Group A” which can be the original
successfully compromised their targets which (ICEFOG-M and ICEFOF-P) have been Icefog group). The conclusion is that the
are mostly the defence contractors, industrial found, used during campaign which ICEFOG backdoor cannot be used to
companies, shipbuilding companies, targets do not match with previously seen attribute a campaign.
telecommunication operators and medias campaign. According to the researcher
in Japan, Taiwan and South Korea. Chi-en Shen from FireEye, the new variants
CAMPAIGNS Jan-2011
2011 Icefog campaign
Icefog campaign against Japan, Japan, South Korea and Taiwan. against Japan,
South Korea and
South Korea and Taiwan between NB: In 2014, Kaspersky published a report Taiwan between
2011 to 2013
2011 to 2013 on Icefog which prompted the attacker
In 2011 it targeted the Japanese House to develop new versions of the Malware.
of Representatives and the House of Nevertheless, these new versions have been
Councillors. used by other groups in many campaigns
During this period an APT campaign that and therefore cannot be linked to the 2012
focused on the supply chain, targeting original group since it is not necessarily
government institutions, military contractors, possible to determine whether it is the
maritime and ship-building groups has same group or another.
been also discovered. The group targeted
2013
China
107
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK120 Cyber Criminal Energy & Objectives _
HEXANE A
ttacks on industrial
Cyber Terrorist
LYCEUM security systems
Hacktivist almost exclusively with
55
destructive intent
State Sponsored
Unknown
Language
Unknown
DESCRIPTION
The ATK120 threat group (Lyceum, Hexane) on South African targets. In May 2019, 2019. Its target core is very similar to that
targets organizations in sectors of strategic the threat group launched a campaign of the APT Xenotime (ATK91), and some
national importance, including oil and against oil and gas organizations in the similirities can be found with Magnallium
gas and possibly telecommunications. Middle East. This campaign followed a and Chrysene. No definitive links can be
LYCEUM may have been active as early as sharp uptick in development and testing of established.
April 2018. Domain registrations suggest their toolkit against a public multi-vendor
that a campaign in mid-2018 focused malware scanning service in February
A first-stage remote access trojan (RAT) that kl.ps1 is a custom keylogger that is written
uses DNS and HTTP-based communication in PowerShell and leverages elements of
mechanisms and provides basic remote the Microsoft .NET Core framework. It
access capability, including the abilities captures the window title and keystrokes
to execute arbitrary commands via cmd. on infected systems and stores them as
exe and to upload and download files. Base64-encoded data. It is deployed
DanBot is written in C# using .NET using a scheduled task and a VBScript file.
Framework 2.0 and provides basic remote Decrypt-RDCMan.ps1
access capabilities. The DNS channel
Decrypt-RDCMan.ps1 is a component of
of DanBot's C2 protocol uses both IPv4
the PoshC2 penetration testing framework.
A records and IPv6 AAAA records for
It is used to decrypt passwords stored in
communication. The HTTP channel has
the RDCMan configuration file, which
evolved slightly since the early 2018
stores details of servers and encrypted
samples but retains common elements
credentials to quickly establish remote
throughout.
desktop sessions. Recovered credentials
DanDrop could give the threat actors additional
ATK120 use this malicious macro to extract access within the environment. LYCEUM
the DanBot payload from the weaponized deployed this tool via DanBot approximately
document and then Base64-decode and one hour after gaining initial access to a
install the malware using a scheduled compromised environment.
task. The basic form and function of the
Get-LAPSP.ps1
macro have remained constant across
analyzed samples, but the threat actors Get-LAPSP.ps1 is a PowerShell script that
have made incremental improvements to gathers account information from Active
obfuscate the macro and refactor some Directory via LDAP. It appears to contain
of the functionality. borrowed code and has been run with
an obfuscation script such as invoke-
obfuscation. LYCEUM deployed this tool
via DanBot shortly after gaining initial
access to a compromised environment.
Unknown
CAMPAIGNS
ATK120 (Lyceum, Haxane) targets 2018
East.
In august 2019 ATK120 targeted oil and
gas companies in the Middle East, especially
Kuwait as a primary operating region.
However, ATK120's area of intervention Aug-2019
ATK120 (Lyceum -
extends to other regions as it has targeted Haxane) targets oil
telecommunications providers in the and gas companies
in the Middle East
Greater Middle East, Central Asia and
Africa, potentially as a steppingstone to
2020
network-focused man-in-the-middle and
related attacks.
109
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK120 Cyber Criminal Energy & Objectives _
HEXANE A
ttacks on industrial
Cyber Terrorist
LYCEUM security systems
Hacktivist almost exclusively with
55
destructive intent
State Sponsored
Unknown
Language
Unknown
Unknown
Discovery
T1087 - Account Discovery
Lateral Movement
T1076 - Remote Desktop Protocol
Collection
T1056 - Input Capture
Command and Control
T1043 - Commonly Used Port
T1071 - S tandard Application Layer
Protocol
111
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT-C-38 Cyber Criminal Media & Objectives _
ATK112 Political Organizations Espionage
Cyber Terrorist
ZOOPARK
Hacktivist
54
State Sponsored
Unknown
Language
Unknown
DESCRIPTION
ATK112 is a group that mostly uses an software in order to accomplish its deeds, main vectors: Telegram channels and
Android Malware, “UnitMM”, which saw the group extended it and brought it watering holes. Indeed, it regularly uses
multiple iterations. This group was first to a fully-fledged espionage platform. compromised websites in order to gain
noticed in June 2015 and is still active According to 360 Beaconlab however, access its targets.
to this day. the group purchases its malicious software T h e g ro u p a l so st a rt e d u s in g a n
The group mostly focuses on espionage from a commercial development group, exclusive Windows malware, nicknamed
and has seen technical progresses since its nicknamed “Apasec”. “SpecialSaber”.
debuts: While it first used forked commercial The group deploys its tools through multiple
CAMPAIGNS
Jan-2015
APT-C-38 targets Middle East since 2015
APT-C-38 targets
2015 Middle East since
2015
Since 2015 APT-C-38 focuses on specific
geographic zones (in Middle East), as can
be seen from the theme of some infected
android application and the compromised
websites, notably:
The Iranian Kurdistan province (Infected
fake polling app)
Iraqi Kurdistan (Infected fake referendum)
Egypt (Compromised news website)
Lebanon and Jordan (Compromised
Arabic news website, especially popular
in these countries)
Kuwait (Compromised news website) 2016
Unknown
113
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT-C-27 Cyber Criminal Unknown & Objectives _
ATK80 Espionage
Cyber Terrorist
GOLDMOUSE
GOLDEN RAT Hacktivist
52
State Sponsored
Unknown
Language
Unknown
DESCRIPTION
ATK80 (APT-C-27, GoldMouse or Golden These capabilities allow the attacker to The characteristics of the group seem to
Rat) is a threat actor active since at least efficiently track a person. indicate a match of interests:
November 2014. It launched targeted Focus on the international context First, the start dates of the group
long-term attacks against organizations activities are evocative. November 2014
There are several indications that this group
in the Syrian region using Android and corresponds to a period when DAESH's
linked to Iran is serving the international
Windows malwares. Its objective is the dangerous nature for President Bashar
interests of the Shia Islamic Republic.
theft of sensitive information. Its malwares Al-Assad's power strengthening enterprise
are mainly disguised as common chat It should be recalled that Iran, in a context
is confirmed. Countering DAESH and the
software such as ChatSecure or WhatsApp of Cold War with Saudi Arabia, has been
rebels makes it possible to consolidate
or Telegram. It also uses the njRat, an involved in the Syrian conflict (as have
the Shiite hold on the country, especially
open-source Remote Access Trojan created many other countries). By supporting the
when we know that until June 2015 the
in 2012 and often used against targets power of President Bashar Al-Assad, the
Syrian regime suffered several military
in the Middle East. Republic of Ayatollah wishes to consolidate
failures. In addition, on 7 October
the Shia arc that connects Iran to the
The initial access techniques include the 2015, General Hossein Hamadani, a
Mediterranean Sea through Iraq, Alawi
conception of fake websites helped by very influential among the guards of the
Syria (Shia branch) and Lebanon through
typosquatting used to lead the user to Islamic revolution, was killed by Daesh
Hezbollah.
download the malicious messaging app. according to the Iranian government.
The group also used social media like Secondly, the modus operandi of prioritizing
Facebook to induce users to download the the infiltration of messaging applications
malicious software from a specified link. known to be used by both terrorists
Its Android spyware has the ability of and rebels constitutes a second set of
recording, photographing, GPS positioning, objectives. It is a question of espionage
uploading contacts/call records/sms/ on the opponents in power of the Syrian
files, executing cloud commands, etc. President.
CAMPAIGNS Oct-2014
Attacks against
This group attacks in waves: March 2019 - The group started 2014
Syria using njRat
computer. 2016
AndroRAT and
Android devices Dec-2016 multiple types of
payloads
The language used in the malwares and Attacks using a
July 2015 - November 2016 - in the lure documents is Arabic. The lure 2017
custom Android
RAT, a custom
Attacks using DarkComet, VBS documents are about terrorist attacks, a Windows RAT,
a JavaScript
Backdoor, AndroRAT and multiple sensible subject in the Middle East region 2018
Backdoor
JavaScript Backdoor
Iran
Mobile ATTACK
T1476 - Deliver Malicious App via Other Means
T1401 - Abuse Device Administrator Access to Prevent Removal
T1437 - Standard Application Layer Protocol
T1412 - Capture SMS Messages
T1430 - Location Tracking
T1432 - Access Contact List
T1429 - Microphone or Camera Recordings
T1481 - Web Service
T1433 - Access Call Log
115
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK32 Cyber Criminal Casino & Gaming & Objectives _
CARBANAK (?) Communication Personal-gain
Cyber Terrorist
FIN7 Education
AG-CR1 Hacktivist Energy
52 Financial Services
State Sponsored
High-Tech
Unknown
Hospitality
Language
Retail
Unknown
DESCRIPTION
FIN7 is a financially motivated group tracked separately. Its main goal is to phishing campaigns. In addition, the group
that is active since at least 2013, which steal financial assets from companies, used a front company dubbed “Combi
primarily targets the retail, hospitality such as debit cards, or to get access to Security”, purportedly headquartered in
and restaurant sectors, mainly in the U.S. financial data or computers of finance Russia and Israel, to provide a guise of
There are assumptions that this is the department employees in order to conduct legitimacy and to recruit hackers to join
same group as Carbanak, but it appears wire transfers to offshore accounts. The the criminal enterprise.
that these are two separate groups using group’s often use phishing as their main
similar tools, and therefore are currently attack vector, including tailored spear-
Russia
CAMPAIGNS
February 2017 - US-SEC filings October2017 - Banks and Enterprises 2017
The group carried out a campaign targeting Another campaign took place between
Feb-2017
United States Securities and Exchange October 8-10, 2017, targeting banks US-SEC filings
Commission (SEC) filings at various and enterprises. Like previous campaigns, Mar-2017
Fileless malware
organizations. The campaign used spear- this attack also bypassed most security Apr-2017 campaigns
phishing methods against personnel solutions. Hidden Shortcut
Files
involved with the US-SEC filings.
2018 - High Profile Breaches
Jun-2017
March 2017 - Fileless Malware A campaign by the group was identified, Evasive Restaurant
Campaigns breaching several High-profile American campaign
The group was associated with two campaigns companies. Reportedly over five million 2017
Carbanak
targeting financial institutions, government credit and debit card numbers were Oct-2017
agencies and other enterprises. The affected by the breach. Bank and
enterprises
campaigns used fileless malware and
November 2018
known penetration testing tools and utilities.
Two new campaigns were identified in the 2018
2018
April 2017 - Hidden Shortcut Files first two weeks of November 2018. The High Profile
In a new campaign, the group modified attacks resembled previous campaigns by Breaches
their phishing techniques, initiating the group but included small variations in
the infection using phishing lures that order to bypass security vendors.
implemented hidden shortcut (LNK) files
March 2019
to avoid detection. The attack then used
VBScript to infect the victim. This method After the arrest of suspected high-ranking
replaced the previous use of weaponized members of the group in August 2018, the
Microsoft Office macros. group resumed its activities with a new set
of administrator tools and never-before-
June 2017 - Evasive Restaurant seen forms of malware. This campaign
Campaign included phishing emails with malicious
Nov-2018
A sophisticated fileless attack was identified attachments, containing SQLRat. This
Two new
on June 7, 2017, targeting restaurants technique has not been seen before in campaigns
Fin7 tactics. 2019
across the US, seizing system control and
installing a backdoor to steal financial Mar-2019
information. The campaign incorporated The group resumed
its activities with
new evasion techniques, bypassing both a new set of
signature- and behavior-based security administrator tools
and never-before-
mechanisms. seen forms of
malware
2017 - Carbanak
Attacks carried out by the group were
found to install the CARBANAK backdoor
for persistent access. The attacks leveraged
an application shim database to inject
a malicious in-memory patch into the
“services.exe” process, and then spawn
a CARBANAK backdoor process. 2020
117
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK32 Cyber Criminal Casino & Gaming & Objectives _
CARBANAK (?) Communication Personal-gain
Cyber Terrorist
FIN7 Education
AG-CR1 Hacktivist Energy
52 Financial Services
State Sponsored
High-Tech
Unknown
Hospitality Language
Retail Unknown
Russia
119
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK103 Cyber Criminal Financial Services & Objectives _
TA505 Financial Gain
Cyber Terrorist
Hacktivist
50 State Sponsored
Unknown
Language
Russian
DESCRIPTION
The Threat Actor 505 (ATK103, TA505) is motivated by financial gains. It is hightly attacks. In July 2018, ATK103 has been
active since at least 2014. It is a significant adaptable, often change its malwares and seen using the SettingContent-ms files in
part of the email threat landscape and techniques, use off-the-shelf malwares their decoy documents. This technique
is responsible for the largest malicious and operate on a massive scale. It doesn't has been described by Matt N. and in
spam campaigns Proofpoint have ever seem to be trying to stay stealthy. Since early June 2018, MSRC responded with a
observed, distributing instances of the March 2018, ATK103 was observed using note that the severity of the issue is below
Dridex banking trojan, Locky ransomware, FlawedAmmyy RAT, a variant of the leaked the bar for servicing and that the case
Jaff ransomware, the Trick banking trojan, AmmyyAdmin 3 (Remote Administration will be closed. Some of these malwares
and several others in very high volumes. Tool). The use of these tools can make us were signed with a COMODO SECURE
ATK103 use Necurs botnet to drive massive think that this actor wants to switch from certificate. ATK103 seems to be a Russian
spam campaigns. ATK103 seems to be big spam campaigns to more targeted speaking group.
Unknown
CAMPAIGNS
TA505 impersonates Airlines New campaign of the Russian group 2017
Tool: N/A
Apr-2019
New campaign of
the Russian group
TA505 directed to
May-2019 Chile and Argentina
May-2019
TA505 is Malicious
Expanding its documents
Operations Jun-2019 spreading
Ransomware
Breaking down
Jul-2019 Jul-2019 TA505 Group use
TA505 TA505 using new of HTML and RATs
impersonates malware Gelup and
Airlines Flowerpipi
2020
121
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK103 Cyber Criminal Financial Services & Objectives _
TA505 Financial Gain
Cyber Terrorist
Hacktivist
50 State Sponsored
Unknown
Language
Russian
Unknown
123
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 92 Cyber Criminal Government Agencies & Objectives _
GORGON GROUP Organizational-gain
Cyber Terrorist
SUBAAT
TAG-CR5 Hacktivist
48 State Sponsored
Unknown
Language
Urdu
DESCRIPTION
Gorgon Group is engaged both in cyber organizations. The group is active since targeted government organizations in
criminal attacks as well as targeted 2017 and is believed to be operating the United Kingdom, Spain, Russia, and
attacks against worldwide governmental from Pakistan. The group’s campaigns the United States.
CAMPAIGNS
July 2017 - Phishing campaign Kingdom, Spain, Russia, and the United 2017
targeting a US-based government States. In addition, at the same time,
organization. members of Gorgon Group also attacked
During the campaign, the threat actors targets in criminal operations across the
sent over 40 emails containing three globe, often using shared infrastructure with Jul-2017
unique files, two RTFs and a Microsoft their targeted attack operations. During Phishing campaign
targeting a US-
Excel file. The RTF files exploited CVE- the campaign the group sent phishing based government
organization.
2012-0158 and used as downloaders emails containing malicious Microsoft
to deliver the QuasarRAT malware family. Word documents exploiting vulnerability
Feb-2018
In addition, the RTFs used obfuscation in Microsoft Office. The payload was 2018 Phishing campaign
within the documents themselves, making delivered via bitly, an URL shortener. The against the
United Kingdom,
it more difficult to extract the embedded attack process used bitly as part of the Spain, Russia,
shellcode. The Excel file contained malicious dropping process when communicating Switzerland and
the United States
macros that eventually drops and executes with the command server.
Crimson Downloader. The QuasarRAT was March 2019 - Aggah Campaign
downloaded from a host named subaat[.]
In March 2019, phishing emails were sent
com. Later, security researchers found out
to education, media/marketing, medical,
Subaat was possibly part of a larger crew
technology, and government organizations in
of individuals responsible for carrying 2019
the Middle East, United States, Europe and
out targeted attacks against worldwide
Asia. During the campaign, the attackers
governmental organizations. This larger Mar-2019
sent Word documents that attempted to
crew is named Gorgon Group. Aggah campaign
load a remote OLE document via Template
February 2018 - Phishing campaign Injection. The OLE document contains
against the United Kingdom, Spain, macro which obtains a script that uses
Russia, Switzerland and the United multiple Pastebin pastes to download
States additional scripts, that finally download
RevengeRAT. Of note, it is uncertain if
In February 2018, Gorgon Group started
this campaign indeed associated with the 2020
a campaign of cyber-attacks against
Gorgon Group.
governmental organizations in the United
Pakistan
125
Alias _ Threat Actor _ Targeted Sectors _ Motivations & Objectives _
Coercion
ATK 196 Cyber Criminal Communication Dominance
Syrian Electronic Army Defense Ideology
Cyber Terrorist Notoriety
SEA Government Agencies Organizational-gain
Syria Malware Team Hacktivist Revenge
High-Tech
TAG-CT2 State Sponsored Unpredictable
47 Media
Unknown Military
Political Organizations Language
Retail English, Arabic
DESCRIPTION
The Syrian Electronic Army is a hacking just against the official websites of the holes. All of this indicates on the high
group active since the beginning of the media outlets, but also against their social professional level of its members and their
Syrian Civil War in 2011. The group media accounts and even their registrar. capabilities. Their attacks were occasionally
supports the current regime of Bashar Al- In addition, the group is known to use launched by affiliated groups and hackers
Assad, and according to several reports, different types of malware, usually against of the SEA, such as Syrian Malware team,
it is actually part of it. In the hight of the groups and individuals that oppose Al- who share infrastructure and personnel
civil war, the group launched many cyber- Assad’s regime. These malwares are of with the SEA. Of note, in recent years,
attacks, usually against online platforms of various types and usually have advanced cyber-attacks affiliated with the group have
media outlets, in order to deface them and capabilities. In addition, they usually used become more and more rare.
spread their pro-Syrian regime agenda. spear-phishing as their attack vector, but
The attacks and defacements were not also other techniques such as watering
Syria
CAMPAIGNS
July 2013 - Tango and Viber attack April 2014 - Reuters attack July 2015 - US Army website hack
The VOIP apps Tango and Viber were The homepage of the website of Reuters The group hacked the US army website,
hacked by the group, and technical and was defaced by the SEA. In this campaign and displayed a pop-up message to all
customer data was stolen. They were able they targeted a third-party service, Taboola, the visitors of the website saying: “Your
to steal the server directory and app log, which uploads its code into Reuters’ website. commanders admit they are training the
alongside user content. It is unclear how Taboola was hacked, but people they have sent you to die fighting.”
it is believed it was done through phishing
End of 2013 - 2015 - Phishing attacks attacks, as in other attacks of the group. August 2015 - Washington Post hack
against the Syrian opposition By hacking Taboola’s widget, the visitors to The campaign started when spear-phishing
The group compromised email accounts of Reuters’ website were redirected to another emails were sent to the Washington post
Syrian personnel active in Syrian opposition website controlled by the SEA calling to journalists, until one of the sports writers
groups, who lived outside of Syria. At first, stop spreading fake news about the Syria was enticed to provide its password to
an email account of a member of one of and calling the British government to stop his email. Through this account, the
the organizations was hacked to gain a supporting the “terrorists”. group sent additional phishing emails,
foothold in the system. In order to receive most probably containing malware to
the account information, different attack July 2014 - BlackWorm campaign other employees. After gaining access
vectors were used such as BruteForce The Syrian Malware Team which is highly to the website, they were able to redirect
and spear-phishing. Following this, the affiliated with the Syrian Electronic Army, readers of the website to the SEA website
attacker downloaded all the data saved used the BlackWorm malware against and take over Twitter accounts of some
on the compromised account such as different victims, who were not disclosed. of the journalists to spread pro-Syrian
old messages, address book and more. slogans. The paper also claimed that the
November 2014 - British and attack was done by hacking Outbrain, a
At the last stage, the attackers used the
compromised account to launch spear- American media outlets attacks third-party service they use for content
phishing attacks against users from the The SEA hacked a few American and British recommendation.
same organization. news outlets such as Daily Telegraph, the
Canadian Broadcasting Corporation 2016 - 2018 - Silverhwak campaign
February2014-ChangingFacebook’s and New York Daily News, and retail The group used fake updates for messaging
WHOIS information companies such as Walmart Canada, in apps to spread the Silverhwak malware
The group hacked the administrator which it defaced their websites. against different victims.
account of MarkMonitor, the registrar of
January 2015 - Le Monde hack December 2017 - Attack against
Facebook. Following this, they changed
The group took over the Twitter account the Syrian opposition websites and
the contact information in Facebook’s
WHOIS records to be those of the SEA. of the French newspaper Le Monde after social media accounts
They also claimed that they were able to they acquired its credentials through a The group took down websites and social
hijack the domain, but that was denied spear phishing attack. During that time, media pages operated by the Syrian
by Facebook. They claimed they did it as they twitted against the French support opposition. The SEA did it by taking
retaliation for closing Facebook pages of the Syrian opposition. In addition, the control of the websites themselves, or by
connected to the group. newspaper announced that there was an reporting those websites and accounts to
attempt to launch a DDoS attack against its the social media platform.
website to bring it down at the same time.
127
Alias _ Threat Actor _ Targeted Sectors _ Motivations & Objectives _
Coercion
ATK 196 Cyber Criminal Communication Dominance
Syrian Electronic Army Defense Ideology
Cyber Terrorist Notoriety
SEA Government Agencies Organizational-gain
Syria Malware Team Hacktivist Revenge
High-Tech
47 TAG-CT2 State Sponsored Unpredictable
Media
Unknown Military
Political Organizations
Language
Retail English, Arabic
Syria
129
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK128 Cyber Criminal Casino & Gaming & Objectives _
OurMine Communication Coercion
Cyber Terrorist Dominance
O
urMine High-Tech Personal-gain
(security group) Hacktivist Personal-satisfaction
Media
TAG-HA10 Revenge
State Sponsored
40
Unknown
Language
English
DESCRIPTION
OurMine is a hacking group active since security issues in order to receive money of the threat actor behind the group, a
mid-2016 that has been identified for from the companies in which these issues teen from Saudi Arabia. Another example
being from Saudi Arabia. They are mostly were found. This was also the case with was when they leaked information of a
known for taking over Twitter accounts of the two DDoS attacks they launched company that did not contact them about
high ranked personnel such as CEOs of against HSBC bank and Pokemon Go (in security issues they found in its servers.
large cooperation and more, and Twitter 2016 and 2017 respectively), allegedly Furthermore, in some cases they tried
accounts of organizations themselves. In to enhance the level of security of those to brag in their capabilities when they
most cases they claimed that they took companies. However, even though OurMine were challenged to hack the website of
over the account to show its owner its tried to show themselves as a group that WikiLeaks in 2017. Overall, the group did
low level of security, while requesting enhances cyber security of companies, not launch very sophisticated attacks, and
them to contact the group directly to solve some of their attacks were done as a all the attacks were detected very quickly.
this problem. This shows that the group revenge. For example, they took over a Of note, since mid-2017, the group is
presents itself as a kind of a grey-hat media website after publishing an article not active, and their website seems to be
group who looks for vulnerabilities and that allegedly revealed the real identity under maintenance.
Saudi Arabia
CAMPAIGNS
June-2016 - Twitter accounts hack August 2016 - Jimmy Wales Twitter on the main page. They said that they
The group hacked the social media accounts account hack did not change any password and ask
of several high-level personnel in large The Twitter account of Wikipedia founder, the owners of the website to contact them.
cooperation. In their tweets they mostly Jimmy Wales, was hacked by the group The website itself came back to normal
tried to show that they are able to hack the that tweeted that he passed away and that very fast, claimed that the attack was not
account because of low security measures OuneMine is a real group. The account very advanced.
and thus to show their capabilities and their was restored shortly after. August 2017 - WikiLeaks Hack
services. The first attack was against Mark
Zuckerberg, the founder and president of October 2016 - BuzzFeed hack The website of WikiLeaks was hacked by
The News website BuzzFeed was hacked OurMine, and its homepage was defaced.
Facebook. In this case, the hackers were
by OurMine as a revenge on an article According to their message, the group
able to gain control for a short while of
BuzzFeed published, which claimed to defaced the website because they were
Zuckerberg’s LinkedIn, Pinterest and Twitter
identify the person behind the group. challenged to do so by Anonymous. They
accounts, and also attempted to attack his
OurMine were able to deface one of also accused Anonymous for publishing
Instagram account, and publish different
the articles on the website main page a fake paste that allegedly included the
posts there. According to them, they were
and claimed that they have the website’s information of all the members of the
able to find the password to the LinkedIn
database that will be leaked if BuzzFeed group. WikiLeaks denied it was hacked,
account from its famous leak from 2012.
will continue to talk about them. and it was found that the group actually
The second was the former Twitter CEO,
used the technique of DNS hijacking to
Dick Costolo, in which they tweeted that
21 December 2016 - NFL, Netflix look as if the website was hacked, while
the account was hacked by OurMine.
and Marvel’s Twitter accounts hack actually they hacked the domain name
The third person hacked by the group
on the same day server.
was Google’s CEO Sundar Pichai. The
Netflix the NFL and Marvel’s characters’
group gained access to his twitter account August 2017 - Game of Thrones
by hacking his Quora account. The fourth Twitter accounts were all hacked by OurMine.
Twitter account hack
person was Uber’s CEO, Travis Kalanick, In all the cases, the same message was
written: “Hey, it’s OurMine, don’t worry we The Twitter account of Game of Thrones
that his twitter account was also hacked was hacked by the group and tweeted
by the group in a similar way. In addition, are just testing your security. Contact us to
help you with your security”. Furthermore, that OurMine did it because they were
they hacked other Twitter accounts of testing the security of its owners.
other known personnel such as novelist in all cases the accounts restored in a
Hank Green, journalist Matthew Yglesias short while. September 2017 - VEVO Data Leak
and more. July 2017 - Pokemon Go DDoS attack Vevo music cooperation was hacked, and
about 3.12TB of internal data were leaked
July 2016 - HSBC bank DDoS attack The group launched a DDoS attack
against the servers of Pokemon Go, which online, allegedly by OurMine. Among
OurMine launched a massive DDoS attack the stolen information were videos and
against the servers of HSBC bank, which prevented from players to log in to the
game. Also, in this case, the group said promotional material, alongside business
affected mainly their domains in the US information. The group claimed that it
and UK. After a few hours, the group that the game will be unavailable until
the company will contact them to solve approached the company before publishing
claimed that it stopped the attack, and the data, but they disregarded them, so
requested that a representative of the their security issues. In a short while the
game started to work again. they leaked the data as retaliation. All the
bank to contact them directly. information was published on the website
July 2017 - TechCrunch Hack of the group.
The group attacked the news website
TechCrunch and changed the message
2016 2017 2018
131
hack
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK128 Cyber Criminal Casino & Gaming & Objectives _
OurMine Communication Coercion
Cyber Terrorist Dominance
O
urMine High-Tech Personal-gain
(security group) Hacktivist Personal-satisfaction
Media
TAG-HA10 Revenge
State Sponsored
40
Unknown
Language
English
Saudi Arabia
133
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 133 Cyber Criminal Aviation & Objectives _
United Cyber Caliphate Defense Ideology
Cyber Terrorist
UCC Notoriety
Education Organizational gain
TAG-CT6 Hacktivist
Government Agencies Revenge
State Sponsored Unpredictable
Media
38 Unknown Military
Naval Language
English, Arabic
Political Organizations
DESCRIPTION
United Cyber Caliphate (UCC) or Islamic - Cyber Caliphate, or Cyber Caliphate and Twitter. SCA Claimed to have hacked
State Hacking Division is a name of an Army (CCA) was established shortly after 10,000 Facebook accounts, more than
umbrella for several hacking groups the establishment of the Islamic State. The 150 Facebook groups and over 5,000
working for the Islamic State of Iraq and Key person behind the group was Junaid Twitter profiles. - Kalashnikov E-Security
Levant (ISIS or ISIL) terrorist organization. Hussain (Abu Hussain al Britani), or TriCK. Team was established in 2016. This group
The organization emerged in April 2016. The most important cyber-terrorist attack of is focused on tech security advisory for ISIS
Mostly known for its campaign against US the CCA occurred on January 2015 when Jihadists. It also uploaded ISIS-related
military and governmental personal. On the Twitter and YouTube accounts of U.S jihadi literature, sharing posts from cyber
April 4, 2016, the Cyber Caliphate Army Central Command and later on the Twitter jihadi groups, reporting successful attacks
(CCA), the principal ISIS hacking unit, accounts of the magazine Newsweek were on websites and Facebook pages and
and other pro-ISIS groups like the Sons hacked. - The Sons Caliphate Army (SCA) publishing various web-hacking techniques.
Caliphate Army (SCA) and Kalacnikov.TN was established in 2016, as a subgroup Gradually, the hackers started to conduct
(KTN) merged and formed The United Cyber of Cyber Caliphate. Mostly known for or assist in defacing hacks.
Caliphate (UCC). UCC groups include: disrupting social media traffic on Facebook
CAMPAIGNS
Jan-2015
• The Albuquerque
Journal and
Maryland’s
01/2015 - The Albuquerque Journal websites. Further investigations suggest
2015
WBOC Hacking
and Maryland’s WBOC Hacking a Russian group was actually behind the • Malaysia Airlines
Website Attack Feb-2015
CCA - Cyber Caliphate took over the news incident, but this was never confirmed. a Newsweek
magazine Twitter
organization’s Twitter handles and posted warning message was issued in Arabic, account hijacked
several confidential documents including but with a lot of spelling and grammar
mistakes, indicating “the authors are not Sep-2015
driver’s licenses, corrections records and
• TV5Monde
spreadsheets with hundreds of names and Arabic”. French authorities later suspected Attack
addresses. The group also replaced the APT28, a Russian hacking group, of • UK Government
and cover photos with ISIS themed art. 09/2015 - UK Government Email Apr-2016
01/2015 - Malaysia Airlines Website Hacking Australian
Websites Hacking
Attack ISIS intercepted top secret emails of British
CCA - The Malaysia Airlines website was vGovernment in major security breach
compromised by “Lizard Squad”. The uncovered by GCHQ.
website’s front page was replaced with an 04/2016 - Australian Websites
image of a tuxedo-wearing lizard and read 2017
Hacking
“Hacked by LIZARD SQUAD - OFFICIAL Apr-2017
UCC - the United Cyber Caliphate have
CYBER CALIPHATE”. It is debated whether 8K Kill List Release
gone on a website defacement spree,
the website was merely hack or was also
breaking into more than 20 Australian
a victim of DNS spoofing.
small businesses websites.
02/2015 - Newsweek magazine
04/2017 - 8K Kill List Release
Twitter account hijacked
UCC - United Cyber Caliphate released
CCA - the Cyber Caliphate hijacked 2018
a kill list that includes 8,786 names of
Newsweek magazine’s Twitter account
Americans.
and threatened President Obama’s wife
and daughters. 10/2018 - ISIS Launch Cracking
Software
09/2015 - TV5Monde Attack
UCC - Cyber Caliphate Team launch
CCA - Islamic State hackers hacked the Oct-2018
“Multy BruteForce Facebook”, a Facebook-
French television network TV5Monde ISIS Launch
cracking software. Cracking Software
bringing the television broadcasts to a 2019
Worldwide
135
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 89 Cyber Criminal Aerospace & Objectives _
D
ESERT FALCONS Defense Ideology
(sub-group) Cyber Terrorist
GAZA CYBERGANG Energy
Hacktivist
GAZA CYBER GANG Financial Services
GAZA HACKERS TEAM State Sponsored Government Agencies
MoleRATs (sub-group)
35 O
PERATION Unknown High-Tech
PARLIAMENT Media Language
(sub-group, named Arabic
after their campaign)
TAG-CT5
Assumed origin of the attacker
DESCRIPTION CAMPAIGNS
Gaza Cybergang is an Arabic politically social engineering methods such as fake January 2012 - Defacement of
motivated APT group, active all over the websites that promise political information Israeli Websites
world, including in Europe and the US, but or spear phishing emails and social
Arabic hackers, calling themselves “Gaza
they are mainly active in the Middle East messaging. * Gaza Cybergang Group
Hackers Team”, hacked Israel Fire and
and North Africa (MENA) and in Palestine in 3: aka Operation Parliament: The group
Rescue services website and posted the
particular. The group is comprised of three is focused on espionage, covering on
message “Death to Israel”.
sub-groups: * Gaza Cybergang Group executive and judicial bodies all over the
1: aka MoleRATs: The group’s aim is to world, and focusing on MENA, particularly October2012-Operation“MoleRATs”
the infection of the victim in a RAT and it Palestine. the group used malware with Israel government websites were attacked,
often makes use of text-sharing platforms, CMD/PowerShell commands for its attacks. officials were temporary cut off the internet.
such as: PasteBin, github.com, upload. Each group is different in TTPs, but they This campaign also targeted Palestinians
cat and more. * Gaza Cybergang Group make use of the same tools after gaining and the governments of the US and UK.
2: aka Desert Falcons: the group makes the initial grip on their victims. Hackers were discovered to be the “Gaza
use of homemade malware, tools and Hackers Team”.
techniques. Victims are often infected by
March 2013 - 2014 - 1st Campaign
The first and main campaign of the Falcon
Desert sub-group, with the highest victims’
number, targeting devices and mobiles.
Targets include Palestine and Gulf states,
TOOLS, MALWARES AND VULNERABILITIES including government organizations, military
centers and top media outlets.
Malwares Legitimate software March 2013 - 2014 - 2nd Campaign
Custom tools None identified The second campaign of the Falcon Desert
F aclons’ Backdoor
Exploited vulnerabilities sub-group was focused mainly on Israel,
F alcons’ Downloader
VE-2017-0199
C while using the main Falcons Trojan. Over
D ustySky (NeD Worm)
600 victims have been identified.
D HS Spyware
D HS2015 / iRat March 2013 - 2014 - 3rd Campaign
M olerat Loader The third campaign of the Falcon Desert
S cote sub-group was focused mainly on politicians
T ajMahal APT Framework and media figures in Egypt. This is the sole
Tools used by multiple adversaries campaign when DHS spyware was used.
P oison Ivy June-July 2013 - Poison Ivy Attacks
C obalt Strike
MoleRATs used PIVY(Poison Ivy) against
D owneks
Middle Eastern and US targets.
Q uasar RAT
n jRAT April 2014 - Attacks on US and
X tremeRAT European targets
Publicly available tools MoleRATs, using XtremeRAT, attacked a US
rowserPasswordDump10: Password
B financial institution and multiple European
dumper government organizations.
Summer 2014 - Attacks against
Israeli and Palestinian Interests
The attackers dropped malware via Decoy
documents and filenames utilized in the
attacks. Further examination of the case
Jan-2012
2012
implies the intended targets comprise victims are different than those of Gaza Defacement of
Israeli websites
off organizations with political interests Cybergang’s and Desert Falcons’, since
or influence in Israel and Palestine. TTPs they were more focused on information-
suggest MoleRATs or Palestinian hackers gathering. Their malware provides remote Oct-2012
are behind the attack. CMD/PowerShell terminal for the atttackers, Operation
"MoleRATs"
enabling script/commands execution and
2014 - 2016 - Operation Moonlight results received via HTTP requests.
2013
Mar-2013
Based on the tools and targets, the Gaza Mar-2013
1st campaign
Hacker Team is behind more than 200 February 2019 - Middle East Attack 2nd campaign
Jun-2013
attacks in the past two years. The attacks MoleRATs are suspected of using an Poison Ivy attacks
were against targets in Palestine, Egypt, Office Word document with embedded
US, Jordan, Libya, Iran, Israel, and China. malicious macros that drops and executes 2014
a backdoor packed by Enigma Virtual Box. Apr-2014
September 2015 - Operation The backdoor includes a built-in keyword Attacks on US and
DustySKy list with names of people or opera movies Summer 2014 European targets
MoleRATs have used the DusySKy malware to communicate with C2, distributes control Attacks against
2014-2016
Israeli and
during a campaign in multiple attacks, commands to further control the victim’s Palestinian Operation
interests
which are targeted but not spear-phished, computer device. 2015
Moonlight
Parliament have been attacking in the middle deploys Yokohama as a second-stage attack Apr-2019 TajMahal APT
east with sophisticated Cyber capabilities. on victims who are deemed of interest. "SneakyPastes" Framework
campaign
They have been particularly careful to verify
victim devices before proceeding with the 2020
infection, safeguarding their command and
control servers. Operation Parliament’s
137
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 89 Cyber Criminal Aerospace & Objectives _
D
ESERT FALCONS Defense Ideology
(sub-group) Cyber Terrorist
GAZA CYBERGANG Energy
Hacktivist
GAZA CYBER GANG Financial Services
GAZA HACKERS TEAM State Sponsored Government Agencies
MoleRATs (sub-group)
35 O
PERATION Unknown High-Tech
PARLIAMENT Media Language
(sub-group, named Arabic
after their campaign)
TAG-CT5
Assumed origin of the attacker
139
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 142 Cyber Criminal Communication & Objectives _
PRYZRAKY GROUP Cyber-security Ideology
Cyber Terrorist
TAG-HA11 Defense Personal-satisfaction
Hacktivist
Education Unpredictable
State Sponsored Energy
35 Unknown Financial Services
Government Agencies Language
I nternational Portuguese, English
Organizations
Political Organizations
Assumed origin of the attacker
DESCRIPTION
Pryzraky Group is a group of Brazilian 2019. The group’s members are Mecz1nho targets mainly educational, government
hackers, in activity since at least 2018. The (the group’s founder), al1ne3737 (main and law enforcement websites in various
group mainly carries out attacks against attacker), Inocent, F1r3bl00d, ZHacker13 countries. However, it seems that the main
websites, including defacements, DDoS and (an Israeli hacker), D4RKR0N, Poptart, motive of this group is more boredom,
data leaks, and recently began doxxing as Aj44x, xS1lenc3d, Dext3r and LcsCyan. The challenge or to prove a point, rather than
well. The group is mainly known for taking group often tags along to various global real ideology.
down the websites of NASA and the NSA in Anonymous campaigns worldwide and
Brazil
CAMPAIGNS
October 2018 - #OpKhashoggi March 2019 - #OpNicaragua 2018
As part of the global Anonymous campaign #OpNicaragua is a hacktivist campaign 2018-present 2018-present
targeting Saudi Arabia following the death against the government of Nicaragua in #OpIsrael #OpNicaragua
of Jamal Khashoggi, Pryzraky group carried protest against its repression of protest
out attacks against the Saudi University movements in the country. In this campaign,
of Business and Technology, as well as Pryzraky group targeted universities and
two Saudi banks. government-related websites in Nicaragua
and Costa-Rica.
November 2018 - #OpAntiNazism 2018-2019
As part of an anti-nazism cyber campaign March 2019 - #OpCopyWrong Targeting Brazilian
and Argentinian
the group targeted racist groups, including In March 2019, Anonymous launched a Politicians and the
governement and
the KKK website. campaign dubbed #OpCopyWrong, an education sectors
international campaign targeting the EU
December 2018 - #OpIcarus and aimed at lobbying European parliament
A cyber campaign against the financial against passing changes to the copyright
sector around the world that was first laws. As part of this campaign, Pryzraky
launched in February 2016. Since then, group leaked data and carried out other
hacktivists have launched several additional attacks on EU related sites, including the
phases of this campaign over the years. Europol and EU government websites. Oct-2018
The Pryzraky Group participated in the #OpKhashoggi
April 2019 - #OpEcuador / FreeAsange
campaign, carrying out attacks against
Nov-2018
central banks of India, Barbados and In April 2019, the group joined the global
#OpAntiNazism
the Bahamas. FreeAsange campaign, targeting Ecuador
following the extradition of WikiLeaks Nov-2018
January 2019 - NASA Breach establisher Julian Assange to the authorities #OpIcarus
2019 Jan-2019
In January 2019, Pryzraky group claimed in the UK. In this campaign, the group
NASA Breach
responsibility for using a DDoS attack to targeted government-related websites and
take down NASA’s domain. According to domains, including the official website of Feb-Mar-2019
the group’s founder, Mecz1nho, NASA the president of Ecuador and the website #OpSudan
was picked as a target because many see Feb-Apr-2019
of the police of Ecuador. As part of this
#OpVenezuela
their systems as an example. campaign, the group also attacked targets
in the UK, such as the websites of the UK Mar-2019 Mar-2019
February-March 2019 - #OpSudan supreme court and the UK police. #OpNicaragua #OpCopyWrong
In February 14, 2019, the group declared they
have joined #OpSudan - an international April 2019 - #OpIsrael Apr-2019
#OpIsrael
cyber campaign against Omar Al-Bashir’s A pro-Palestinian and anti-Israel cyber
regime in Sudan. In this campaign, the group campaign which occurs annually on April
targeted multiple Sudanese Government- 7 since 2013. In 2019 Pryzraky joined
related domains in defacement, data leaks the campaign and attacked the Israeli
and DDoS attacks. police department of investigations and
intelligence, using the FuckingBotnet with
February-April2019-#OpVenezuela Cloudflare bypass.
In February 26, 2019, the group declared
they have joined #OpVenezuela - an 2018-2019 - Targeting Brazilian
international campaign due to the protests and Argentinian Politicians and the
presented in Venezuela. In this campaign, governement and education sectors
the group mainly carried out defacements, Throughout their activity, Pryzraky group
data leaks and DDoS attacks against attacks Brazilian and Argentinian institutions,
domains of TV stations, universities and mainly in the education and government
government agencies. sectors. The attacks include defacements, 2020
data leaks, DDoS attacks and doxxing of
judges and politicians.
141
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 142 Cyber Criminal Communication & Objectives _
PRYZRAKY GROUP Cyber-security Ideology
Cyber Terrorist
TAG-HA11 Defense Personal-satisfaction
Hacktivist
Education Unpredictable
State Sponsored Energy
35 Unknown Financial Services
Government Agencies Language
I nternational Portuguese, English
Organizations
Political Organizations
Assumed origin of the attacker
Brazil
Initial Access
T1190 - Exploit Public-Facing Application
Credential Access
T1003 - Credential Dumping
Impact
T1489 - Service Stop
T1491 - Defacement
T1498 - Network Denial of Service
143
Alias _ Threat Actor _ Targeted Sectors _ Motivations
Anon Italia Cyber Criminal
Administration & Objectives _
Aviation
ATK 123 Defense Ideology
Cyber Terrorist Education
TAG-HA2 Financial Services
Hacktivist Food and Agriculture
Government Agencies
State Sponsored Healthcare
Hospitality
International Organizations
35 Unknown Manufacturing
Media Language
Military
Naval Italian
Pharmaceutical
Political Organizations
Research
Retail
Transportation Assumed origin of the attacker
DESCRIPTION
Anonymous Italia is one of the oldest always been among their preferred targets. who used the aliases Aken and Otherwise.
hacktivist groups appearing on the Italian Of note, many attacks were apparently Interestingly, the latter contributed to the
cyber-threat landscape, in 2012. The conducted in cooperation with two other development of a “serverless” portal for
group is characterized by an anarchist Italian hacktivist groups, namely LulzSec coordinating the group’s operations, named
ideology, with a strong sense for social ITA, and AntiSecurity ITA, characterized Osiris, demonstrating significant technical
justice, environmental issues. This highly by a similar ideology. Throughout its long capabilities. Of note, the group is also
ideological imprinting translates into a clear activity, the group executed hundreds of actively involved in the promotion of real-
aversion towards Italian political institutions data leaks, defacements and DDoS attacks. world operations, such as #OpGreenRights,
and security forces. In this context, we Notable was the 2015 attack against the #OpPaperStorm, and the Million Mask
identify recurring patterns in the hacktivists’ Ministry of Defense (with thousands of leaked March.
target selection. In fact, police, political records), which also led to the arrest of
parties, and government institutions have two prominent members of the collective,
145
Alias _ Threat Actor _ Targeted Sectors _ Motivations
Anon Italia Cyber Criminal
Administration & Objectives _
Aviation
ATK 123 Defense Ideology
Cyber Terrorist Education
TAG-HA2 Financial Services
Hacktivist Food and Agriculture
Government Agencies
State Sponsored Healthcare
Hospitality
International Organizations
35 Unknown Manufacturing
Media Language
Military
Naval Italian
Pharmaceutical
Political Organizations
Research
Retail
Transportation Assumed origin of the attacker
CAMPAIGNS
April 2012 - FIMI Attack population living in Amazon rainforest. November 2014 - #OpSAP (Italy’s
On April 8, 2012, Anonymous Italia claimed On June 22, 2014, Anonymous Italia Police Work Union) Attack
responsibility for hacking the Italian Music claimed responsibility for hacking the On November 11, 2014, Anonymous
Industry Federation (FIMI- hxxps://www.fimi. website of the EU Sustainable Energy Italia claimed responsibility for leaking
it), dumping two sensitive databases of the Week (#EUSEW2014), allegedly dumping information from the Police Work Union
organization on a text-sharing platform. thousands of records of organizations servers (hxxps://www.sap-nazionale.org),
participating to the initiative, such as the to protest the court verdict in the Stefano
April 2012 - Trenitalia Attack World Bank, Bayer, ExxonMobil, Enel, Edf, Cucchi’s death trial.
On April 12, 2012, Anonymous Italia GE, Shell, BP, Eni, Nokia, Intel, and more.
claimed responsibility for taking down On October 16, 2014, Anonymous Italia November 2014 - Lega Nord Attack
(#TangoDown) the website of Trenitalia, defaced the website of Apulia Regional On November 16, 2014, Anonymous
the main Italian train operator. Council to protest the environmental Italia claimed responsibility for defacing
damage caused by the Taranto’s steelwork the Lega Nord party’s website (Leganord.
August 2012 - On August 31, 2019, company Ilva. org), protesting its alleged racist ideology
Anonymous Italia hacked into the Italian February 21, 2016, dumped online data and policies.
Ministry for Economic Development stolen from the website of Apulia region’s
exploiting a Joomla CMS misconfiguration regional council, against the decision of November 2014 - Italian Penitentiary
to exfiltrate a website configuration site. construction a gas pipeline crossing the Police Attack
September 2012-ongoing - #OpGreenRights area. Very popular in 2019, with attacks On November 22, 2014, Anonymous
OpGreenRights is a longstanding hacktivist against Ministero Ambiente (Ministry of Italia claimed responsibility for hacking
campaign joined by numerous Anonymous- Environment). the servers of the Italian Penitentiary Police
affiliated groups worldwide (hxxps://twitter. leaking a significant volume of data. The
September 2012 - Monsanto Attack motive behind the attack is to protest the
com/OpGreenRights). Anonymous Italia
On September 17, 2012, Anonymous numerous detainees’ deaths during the
participates to the campaign since its early
Italia claimed responsibility for DDoSing past ten years.
inception, usually focusing on environment
the Italian website of Monsanto, in the
grievances pertaining to Italy. A review December 2014 - #NoTAV Attack
context of a global mobilization against
of the key operations is as follows: On
the company. On December 12, 2014, Anonymous
September 11, 2012, Anonymous Italia
Italia claimed responsibility for defacing
promoted a live demonstration against October 2012 - Italian Police Attack 100 subdomains of the rhonealpes.fr
Monsanto, in multiple Italian cities. On On October 22, 2012, Anonymous Italia
April 16, 2014, Anonymous Italia targeted domains, related to the French Rhône-Alpes
leaked online a substantial volume of Regional Council. The motive behind the
the website of Tuscany’s environmental data allegedly subtracted from the Italian
services provider A.S.A. S.p.A. (hxxps:// attack is to protest the railroad project
Police’s servers. called TAV, which is expected to connect
www.asaspa.it). The hackers access the
Turin with Lion.
servers of the company, tampering with April 2014 - Italian Government
and leaking the data, and performing and Defense Attack December 2014 - #OpItaly On
defacement attacks. On April 10, 2014, v DDoSing websites December 25, 2014,
On May 5, 2014, claimed responsibility related to the Italian Government and Anonymous Italia claimed responsibility
for hacking the servers of the Riva Group, Defense Ministry. Allegedly, the websites for leaking an archive comprising more
one of main Italian steel producers, have been down for hours. than 1500 private documents of the Italian
accusing the company to contaminate Police, for revenge.
the population living in the proximity of April 2014 - “Jobs Act” Attack
its facilities. Sensitive documents and In the context of the job reforms proposed March 2015 - Attacks Against Two
email conversations were dumped online. by PM Matteo Renzi, on April 12, 2014, Right-Wing Parties
On June 13, 2014, Anonymous Italia Anonymous Italia claimed responsibility for On March 15, 2015, Anonymous Italia
claimed responsibility for DDoSing the DDoSing the website of the Prime Minister, claimed responsibility for DDoSing multiple
website of the Brazilian military police, the website of the Italian Ministry of Labor, websites of the Italian right-wing parties
to protest its treatment of the indigenous as well as the one of the Italian police. Casapaund and Forza Nuova.
Italy
April 2015 - AIFA Attack On April March 2016 - Campaign against May 2017 - Ministry of Foreign
29, 2015, the Italian Security Forces Affairs Attack
Anonymous Italia claimed responsibility for On March 1, 2016, Anonymous Italia On May 20, 2017, Anonymous Italia,
hacking the Italian Pharmaceutical Agency claimed responsibility for DDoSing the together with LulzSec And AntiSec, hacked
(AIFA), defacing its website. The motivation websites of the Italian Carabinieri, Police, the Italian Ministry of Foreign Affairs’
for the attack was to damage the global and Defense and Interior Ministries. servers, publishing sensitive data of the
Pharmaceutical industry, perceived by the ministry personnel.
group as a constant enemy. May 2016 - Lega Nord Attack
On May 11, 2016, Anonymous Italia June 2017 - Carabinieri Attack
May 2015 - Italian Ministry of claimed responsibility for DDoSing the On June 12, 2017, Anonymous Italia
Defense Attack Lega Nord party’s website, leganord.org. claimed responsibility for breaching the
On May 18, 2015, Anonymous Italia servers of the Carabinieri (Italian special
claimed responsibility for leaking the August 2016 - #opNessunDorma forces), dumping online the stolen data.
personal details of over 1700 security Campaign Operation
personnel from the Italian Ministry of #NessunDorma is a campaign carried July 2018 - Ospedale Sant’Andrea
Defense’s databases, publishing them put against over 40 Italian websites, on Attack
online. August 4, 2016. The websites affected by On July 14, 2018, Anonymous Italia claimed
the data breach range from job agencies, responsibility for leaking thousands of
July 2015 - Attack Against Italian private business, consulting companies, to records from the Rome’s hospital Ospedale
Law Enforcement Agencies personal sites. The hacktivists got all the Sant’Andrea, to protest the low level of
On July 20, 2015, Anonymous Italia leaked details after breaching the servers security adopted by the Italian Healthcare
claimed responsibility for defacing several of Engitel, a Milan-based web agency Ministry to protect user data,
websites related to the Italian LEA, dumping providing e-commerce solution to all
online a significant volume of stolen data. the above-mentioned companies. The O c t o b e r/ N o v e m b e r 2 0 1 8 -
The attacks are a revenge for the arrest of motivation was to fight against the new #FifthOfNovember Campaign
two Anonymous Italia members, named labor laws and temporary employment The hacktivists launched a series of attacks
Aken and Otherwise. agencies. against dozens of targets in an apparent
random fashion. Notable among them Rome
February 2016 - #OpHomes September 2016 - Libero Quotidiano and Milan universities, local municipalities,
Campaign Attack national research institutions, and Healthcare
On February 16 and 18, 2016, Anonymous On September 21, 2016, Anonymous federations. Most of the attacks resulted
Italia claimed responsibility for stealing Italia claimed responsibility for leaking in sensitive data being published online.
data and defacing multiple websites of personal details of registered users and
Italian police labor unions, in a protest editorial staff of the Italian newspaper December 2018 - Healthcare
against the eviction of families from their Libero (liberoquotidiano.it). Institutions Attack
houses in Livorno and Padua. On February On December 24, 2018, Anonymous Italia
20, 2016, in continuation of the previous October 2016 - Penitentiary Police claimed responsibility for hacking dozens
attacks, the hacktivists DDoSed the website Attack of Italian healthcare institutions, defacing
of the Italian Ministry of Infrastructure and On October 12, 2016, Anonymous Italia and leaking a notable volume of data.
Transportation. claimed responsibility for breaching the
servers of the Italian Penitentiary Police February 2019 - #OpSardegna
February 2016 - Attack Against and related organizations. Campaign
Nuovo Centro Destra On February 12, 2019, Anonymous Italia
On February 25, 2016, Anonymous February 2017 - Forza Nuova Attack claimed responsibility for hacking Sardegna
Italia claimed responsibility for DDoSing On February 21 2017, Anonymous regional council website, as well as other
the website of the Italian right-wing party Italia claimed responsibility for defacing local websites to protest the government
Nuovo Centro Destra. again the Forza Nuova right-wing party’s agricultural policies vis-a-vis the region.
website(forzanuova.eu).
May-2016 Oct-2016
Lega Nord Attack Penitentiary Police Attack
2017 2018 2019 2020
DESCRIPTION
A Portuguese-speaking hacktivist that is we assume that he is from Brazilian campaigns. He is highly active on social
affiliated with NewSec Group and Lulzsec nationality. He also hacks different targets networks, especially on Twitter and YouTube,
Brazil. He usually targets Brazilian websites affiliated with various sectors around the and usually publishes data leaks in his
with different attack vectors, and therefore world and participates in different cyber pastebin account.
CAMPAIGNS
2018-2019
2018 - 2019 - OpSudan related to American official websites. 2018
OpSudan
A cyber campaign that supports the
June 2019 - Targeting the website of
protests against the Sudanese government.
the national university of Columbia
During March 2019, DemonSad3 claimed
responsibility for shutting down a government DemonSad3 published on his pastebin
Sudanese website. account a database allegedly related to
the website of the national university of
April 2019 - OpAssange Columbia.
A cyber campaign against the extradition
June 2019 - Targeting a government
of Julian Assange in April 2019. During
website of Paraguay
April 2019, DemonSad3 defaced two Jun-2019
government Brazilian websites and a DemonSad3 published on his pastebin Targeting a
Brazil
149
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 137 Cyber Criminal Defense & Objectives _
NEWSEC GROUP Education Ideology
Cyber Terrorist
TAG-HA3 Financial Services
Hacktivist
Government Agencies
State Sponsored Media
Unknown
33
Language
Portuguese and English
DESCRIPTION
A group of hacktivists led by a threat against the authorities. The group was fact that some of their tweets are both
actor dubbed DemonSad. The group observed conducting mainly DDoS attacks in English and Brazilian Portuguese. In
was involved in multiple cyber campaigns and several data leaks. We assume with addition, DemonSad and other group
targeting various countries around the world medium probability that the group is members’ twitter account information is
in order to support civil demonstrations originated from Brazil, mostly due to the in Brazilian Portuguese.
CAMPAIGNS
2013 - present - #OpIsrael April 2019 - #OpUK 2013
A pro-Palestinian and anti-Israel cyber A cyber campaign against the UK because 2013-present
campaign which occurs annually on April they arrested Julian Assange after Ecuador’s #OpIsrael
7 since 2013. NewSec Group claimed extradition. NewSec Group claimed
responsibility for allegedly shutting down responsibility for shutting down and defacing
2014
Israeli government websites. government and other British websites.
2015 - present - #OpVenezuela May 2019 - #OpHonduras
A cyber campaign that protests against A cyber campaign that supports the
the political and socioeconomic crisis in demonstrations against the government.
Venezuela. During March 2019, NewSec NewSec Group claimed responsibility 2015
Group claimed responsibility for shutting for shutting down a government website.
2019-present
down government and official websites
of Venezuela. June 2019 - #OpIndonesia #OpVenezuela
Brazil
151
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT 17 Cyber Criminal Defence & Objectives _
ATK2 Education
AURORA PANDA Espionage
Cyber Terrorist
AXIOM Financial Services
BARIUM Hacktivist Government Agencies
BLACKFLY
DEPUTY DOG State Sponsored High-Tech
DOGFISH Industry
GROUP 72 Unknown
32 GROUP 8 Media
HIDDEN LYNX
Language
LEAD Unknown
RAGEBEAST
TAILGATER
Assumed origin of the attacker
DESCRIPTION
ATK2 is a threat group in operation since at need to be made up of between 50 and The team which distributes the Naid
least 2009. It was described by Symantec 100 individuals. The infrastructure used backdoor used during the Bit9 attack,
as a professional organization that offers a during the attacks was mostly originated the VOHO campaign and the Aurora
“hackers for hire” service. They can target from China. Operation. This team seems to operate
multiple organizations with concurrently This group is composed of two sub-groups against high value targets and be composed
running attacks, operating efficiently and using two different backdoors to achieve of more skillful attackers.
moving quickly and methodically. The different goals:
group regularly integrates new zero-day
The team which distributes the Moudoor
exploits in its arsenal and customizes
backdoor which is a customized version
them quickly demonstrating a skillset in
of Gh0st RAT. They are responsible for
superior to APT1 which is also operation
large-scale attacks which require a large
in that region. Based on these factors,
number of people to operate.
Symantec estimate that the group would
China
CAMPAIGNS
Operation Aurora Attack on the French Aerospace 2010
Jan-2010
Operation Aurora
The Aurora malware operation was identified A strategic web compromised leveraging
recently and made public by Google the CVE-2014-0322 zero-day to infect
and McAfee. This malware operation victims with the ZxShell malware targeted
has been associated with intellectual the website of the Veterans of Foreign
property theft including source code and Wars, a U.S. organization. One month
technical diagrams (CAD, oil exploration before this attack, another threat group
bid-data, etc). Companies hit have been used the same vulnerability to conduct
2011
publically speculated, including Google, attacks against the French Aerospace
Adobe, Yahoo, Symantec, Juniper Systems, sector and compromise the website of
Rackspace, Northrop Grumman, ExxonMobil, Capstone Turbine, a U.S.-based turbine
ConocoPhillips, and Dow Chemical. The manufacturer.
malware package used with Aurora is
mature and been in development since
at least 2006.
As a result of the attack, Google stated in 2012
153
Alias _ Threat Actor _ Targeted Sectors _ Motivations
APT 17 Cyber Criminal Defence & Objectives _
ATK2 Education
AURORA PANDA Espionage
Cyber Terrorist
AXIOM Financial Services
BARIUM Hacktivist Government Agencies
BLACKFLY
DEPUTY DOG State Sponsored High-Tech
DOGFISH Industry
GROUP 72 Unknown
32 GROUP 8 Media Language
HIDDEN LYNX Unknown
LEAD
RAGEBEAST
TAILGATER
Assumed origin of the attacker
China
155
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK78 Cyber Criminal Aerospace & Objectives _
THRIP Communication Espionage
Cyber Terrorist
Defence G
athering information
Hacktivist on satellite operating
High-Tech
State Sponsored infrastructure
Unknown
32
Language
Unknown
DESCRIPTION
Thrip is a Chinese cyber-espionage group telecommunication operator in Southern modified, maybe due to a mistake, and
targeting telecommunications, geospatial Asia. nothing remains but the Catchamas
imaging end defence sectors in the United The day of its publication, the article from info stealer trojan. Because of these
States and Southeast Asia. Thrip was Symantec described five custom malwares: circumstances, the information presented
uncovered in January 2018 by Symantec Rikamaru, Catchamas, Mycicil, Spedear here is with moderate confidence.
during a campaign targeting an important and Syndicasec. But this article has been
CAMPAIGNS
Thrip targets Southeast Asia operator. The attack group seemed to be
Jan-2018
In January 2018, it was discovered that particularly interested in the operational side 2018
Thrip targets
Thrip had launched an espionage campaign of the company, looking for and infecting Southeast Asia
2019
China
157
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 129 Cyber Criminal Administration & Objectives _
Pinoy LulzSec Aviation Personal-satisfaction
Cyber Terrorist Defense
TAG-HA9 Unpredictable
Hacktivist Education
Food and Agriculture
State Sponsored Government Agencies
Unknown Healthcare
31 Manufacturing Language
Military Filipino, English
Political Organizations
Retail
Transportation
Assumed origin of the attacker
DESCRIPTION
Pinoy LulzSec is the Philippines branch of the mostly website defacements and data leaks, In fact, in line with their modus operandi
international LulzSec movement, therefore which were subsequently dumped online and search for visibility, the hacktivists run
they embrace an anarchist/destructive on file-sharing platforms. We also observed multiple social media accounts, mainly
ideology. According to their statements, numerous social media account takeovers, on Twitter and Facebook, where they
Pinoy LulzSec hacktivists have allegedly been ostensibly performed via spear-phishing. announce their future intentions and boast
active since 2012. However, we found the The hackers show a clear preference for about their attacks. Of note, the hackers
bulk of their activity being concentrated in attacking government-related targets, have been conducting defacement attacks
2017-2018. The group was responsible but also have a penchant for education against poorly secured websites of over
for numerous cyber-attacks in the past institutions. This finding indicates that 30 countries worldwide, indicating that
years, including notable ones against they are teenagers, still going to school. they largely operate out of opportunity
the Philippine Government and defense This assumption is corroborated by their instead of ideological reasons.
forces in April 2018 and 2019 Fool’s erratic behavior, and vulgar language Pinoy LulzSec’s prominent members: X-m3n
Day campaigns. The hackers conducted used on social media. GrandFather Kangk0ng Soull
dozens of attacks during these campaigns,
CAMPAIGNS
September 2016 - Commission on targets, government and corporate alike, 2016
Elections (COMELEC) Attack the most notable being the breach of the
Pinoy LulzSec hacked into COMELEC Armed Forces of the Philippines (AFP)
exfiltrating the databases hosted therein. data center and subsequent leaking of
soldiers’ data online. Like in the previous Sep-2016
Early April 2018 - April Fool’s Day year’s campaign, the hackers conducted Commission
In this campaign, Pinoy LulzSec launched and social media account takeovers. 2017
numerous attacks against Philippines
April 5, 2019 - Jollibee Foods
Government websites, those of Philippines
local authorities, and education institutions. Corporation Hack
Website defacements, DDoS attacks, Pinoy LulzSec hackers leaked the database
and data leakages were the prominent of the Filipino food chain Jollibee on a
attack vectors. text-sharing platform.
April 24, 2018 - Government of April 24, 2019 - Cebu Pacific Air Hack 2018 April 2018
Thailand The Pinoy LulzSec hacker kangk0ng • April Fool’s Day
2018 attacks
The hackers defaced six distinct Thai gained unauthorized access to the Cebu • Government of
Government websites. The motivation Pacific Air’s rewards program GetGo. The Thailand
behind the attack is ostensibly recreational. hackers defaced the GetGo homepage, • Government of
Nepal
but also managed to access the active
April 27, 2018 - Government of Nepal directory of the company, possibly stealing
The hackers published on a text-sharing sensitive data. Apr-2019
2019
• April Fool's Day
platform a Nepal Government database.
April 30, 2019 - jointhearmy[.] 2019 attacks
The motivation behind the attack is likely • Jollibee Foods
recreational. ph Hack Corporation hack
The Philippines
159
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 73 Cyber Criminal
& Objectives _
THE DARK OVERLORD Personal-gain
Cyber Terrorist
TDO
TAG-CR4 Hacktivist
State Sponsored
Unknown
29 Language
English
DESCRIPTION
The Dark Overlord is a highly skilled media production sectors in the US and public domain yet), but also other goods,
cybercrime actor (possibly a well-structured UK, and subsequently put the stolen data such as software source code.
cybercrime syndicate) active since at up for sale or demand ransom from its Alleged Members: Nathan Wyatt AKA
least mid-2016. It entered the public victims. The Dark Overlord appears to “Crafty Cockney”/“mas” - alleged member
spotlight following the 2017 hack of Larson primarily be a financially driven threat arrested in September 2016. Grant West
Studios, and the subsequent release of an actor, with a proven history of success, AKA “Courvoisier” - alleged member
entire season of the TV show “Orange and likely millions of dollars in profits. The arrested in Kent (UK) in May 2018. S.S.
is the New Black.” The Dark Overlord’s threat actor has been prevalently active - alleged member arrested in Belgrade
key business model is to hack into low, on Darknet marketplaces and hacking (Serbia) on May 16, 2018.
medium and high-profile organizations, forums, where he tries to sell “private”
mostly in the healthcare, education, and databases (databases that are not in the
CAMPAIGNS
2016 - Extortion of US Organizations Hollywood audio post-production studio. 2016
2016
The Dark Overlord started their operation According to Larson Studios the group
Extortion of US
by targeting a variety of organizations in was able to breach the network through Organizations
an end point running an outdated version 2016
the United States. Most of the organizations
HL7 Software
were from the medical sector but the group of Windows 7. The group was able to Stolen
also targeted the financial and high-tech download a large number of TV shows Dec-2016
industries. The group demanded ransom the studios were working on and delete Larson Studios
2017 Hack 2017
for not releasing sensitive documents and them from the company servers. They then
Threats to US
patients’ medical records claimed they will release the shows if the schools Parents
received text
studio will not pay them $50,000 (which messages from
2016 - HL7 Software Stolen the studios eventually did). Jun-2017
Netflix attack
The Dark Overlord offered for sale what
they claim to be the source code, software Jun 2017 - Netflix Attack
signing keys and customer license database The Dark Overlord leaked unaired episodes 2018
for a Health Level Seven interface engine. of “Orange is the New Black.” stoled in
the Larson Studios hack. According to the
2017 - Threats to US schools Parents group they decided to leak the information
received text messages from after Larson Studios broke the agreement
The Dark Overlord threatening to harm with them by going to the FBI and as a
or kill their children. way to pressure Netflix to pay. Jan 2019
2019
9/11 Papers
2016 - Larson Studios Hack Jan 2019 - 9/11 Papers
Somewhere around December of The Dark Overlord hacked US and UK
2016 companies, and exfiltrated a large volume
The Dark Overlord were able to get of sensitive documents related to the 9/11
access to the network of Larson Studios, terror attacks-related lawsuits.
161
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 125 Cyber Criminal Administration & Objectives _
BLUE DRAGON Defense Ideology
Cyber Terrorist
IZNAYE CYBER TEAM Education
TAG-HA4 Hacktivist Energy
State Sponsored Government Agencies
High-Tech
Unknown
Hospitality Language
29
Manufacturing English, French, Spanish
Political Organizations
Research
Retail Assumed origin of the attacker
DESCRIPTION
IZNAYE CYBER TEAM is considered to national attack group also consisting out of the IZNAYE CYBER TEAM’s members
be a hacktivist attack Group. According of French and Spanish language speakers. named xS1lenc3d had taken responsibility
to its Twitter account, the group started Its main objectives are governmental under the Pryzraky insignia. Another
recruiting members during May 2019. institutions, but not only, among its targets member dubbed Aft3RNOON_000 was
The group is considered to be a Russian are also commercial organizations, local seen taking responsibility for operations
attack group, as the group uses the Russian authorities, and it was seen joining mainly conducted together with “Team Gh0st”.
Federation flag in its Twitter account and to hacktivist campaigns. Quoting Lenin We have the impression that the above
cites a quote referred to Soviet revolution may suggest the groups’ agenda is driven mentioned cooperation have relation to
leader - Lenin. However, a few of its by a communist ideology. We also noticed common causes and ideology.
members are not Russian speakers and that the group has ties to another hacktivist
we get the impression that it is a multi- team dubbed Pryzraky Group since one
CAMPAIGNS
2019 - #OpSudan government of Ecuador in response to 2019 - #OpHonduras
On April 5, 2019, the group declared they the extradition of WikiLeaks establisher A hacktivist campaign that accuses Honduras
have joined #OpSudan - a hacktivist cyber Julian Assange to the authorities in the regime to be oppressive and tyrannical.
campaign against Omar Al-Bashir’s regime UK. Starting April 14 through April 19, During May 2019, the group claimed
in Sudan. On this campaign, the group 2019, the group took part in various targeting a series of Honduras government
targeted multiple Sudanese Government- cyber-attacks on websites related to the websites.
related domains in defacement, data leaks government of Ecuador and commercial
and DDoS attacks. Among the websites websites in the UK.
2019
that were targeted were the websites of
2019 - #OpFrance
Khartoum Police, the Sudanese Embassy
A hacktivist campaign first launched by
in Germany and more.
Anonymous in solidarity with the Yellow
2019 - #OpIsrael Vests Movement (Mouvement des gilets
During April 2019, the group joined jaunes) in France. On April 11, 2019, the
the pro-Palestinian and anti-Israel cyber group took part in a cyber attack targeting
campaign which occurs annually on DynDNS France Website (dyndns.fr). On
May 1, 2019, a group member dubbed Apr-2019 Apr-2019
April 7 since 2013. On April 11, 2019, #OpSudan #OpIsrael
the group was also mentioned in tweets xS1lenc3d leaked approximately 70,000
regarding its’ part in a DDoS attack targeting emails belonging to customers of Peugeot May-2019 Apr-2019
israeltoday.co.il, an Israeli News Journal France. The leak being published on May #OpHonduras #OpEcuador
Campaign /
website. On the same day the group 1, 2019, a symbolic day for communists, #OpFreeAssange /
#OpAssange
claimed that it had leaked files, emails might support the assumption that the
and subdomains of the Israeli ministry of group or some its actors hold communist Apr-2019
defence. The group was also mentioned ideology. #OpFrance
Russia
163
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK77 Cyber Criminal Government Agencies & Objectives _
DARKHYDRUS Espionage
Cyber Terrorist
LAZYMEERKAT
Hacktivist
State Sponsored
Unknown
28 Language
Unknown
DESCRIPTION
ATK77 (DarkHydrus) is a threat group that since at least 2016. The group heavily
has targeted government agencies and leverages open-source tools and custom
educational institutions in the Middle East payloads for carrying out attacks.
CAMPAIGNS
2018
New Threat Actor Group DarkHydrus Latest Target Attack of DarkHydruns
Targets Middle East Government Group Against Middle East
In July 2018, Unit 42 analysed a targeted 360 Threat Intelligence Center captured
Jul-2018
attack using a novel file type against at several lure Excel documents written in
New threat actor
least one government agency in the Middle Arabic in January 9, 2019. It's confirmed group DarkHydrus
targets Middle East
East. It was carried out by a previously that this is a DarkHydrus Group’s new government
unpublished threat group we track as attack targeting Middle East region.
DarkHydrus. Jan-2019
2019 Latest target attack
of DarkHydrus
group against
Middle East
2020
Unknown
165
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 136 Cyber Criminal Education & Objectives _
Sprek3rsSec Government Agencies Ideology
Cyber Terrorist
TAG-HA17 Media
Hacktivist
State Sponsored
Unknown
28 Language
Portuguese
DESCRIPTION
ASprek3rsSec is a Brazilian hacktivist which opreated between 2016-2017. The threat actor seems to possess low to
active from 2014. Sprek3rsSec mostly From 2019 is part of a group called medium hacking skills, mostly relying on
target Brazilian websites for defacement !PHALLANX!. While mostly flying under the SQLi techniques and XSS vulnerabilities
and data leak attacks. In the past the actor radar, the threat actor bought his publicity
was part of a group called Evil Corp BR in the 2019 #OpAmazonia campaign.
CAMPAIGNS
2014-2017 - Defacement 2019 - #OpAmazonia 2014
From the start of his activities the threat Sprek3rsSec took part in #OpAmazonia, 2014-2017
Defacement
actor focused on defacements of random a hacktivist operation to protest against 2015
websites, with the majority of them from the burning of the rain forest. As part
the BR tld (Brazilian websites) of the operation Sprek3rsSec, as part 2016
of PHALLANX, allegedly hacked several
ministry offices and leak data from them.
2017
Among the hacked targets was the ministry
of environment, according to the group
they were able to find proof that the 2018
2020
Brazil
167
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 135 Cyber Criminal Communication & Objectives _
G
HOST SQUAD Education Ideology
Cyber Terrorist
HACKERS Financial Services
TAG-HA6 Hacktivist
Government Agencies
State Sponsored I nternational
Unknown Organizations
26 Media Language
Military English
Political Organizations
DESCRIPTION CAMPAIGNS
The Ghost Squad Hackers, a group 2013 - present - #OpIsrael various websites of financial institutions
founded in 2016, are hacktivists from in the UK, Cameroon, Kuwait, Korea,
A pro-Palestinian and anti-Israel cyber
around the world that launched cyber- Myanmar, New Zealand and Nepal.
campaign which occurs annually on April
attacks against multiple targets around
7 since 2013. During August 2016, Ghost
the world. In 2016, they were considered June 2016 - #OpSilence
Squad Hackers claimed responsibility for
to be one of the top trending hacktivist A cyber campaign against the media sector
allegedly shutting down Israeli government
groups. Several popular cyber-attacks in order to protest against their coverage
websites.
that are affiliated with the group are the of the Israeli-Palestinian conflict. During
DDoS attacks against GitHub (January 2016 - present - #OpISIS June 2016, Ghost Squad Hackers claimed
2019), YouTube (October 2018) and / #OpReverseCaliphate / responsibility for shutting down the mail
the mail servers of CNN and FoxNews #OpDecryptIsis servers of Fox News and CNN. They also
(June 2016). A prominent group member A cyber campaign against ISIS-related published links to data leakages allegedly
dubbed S1ege developed several tools and online platforms. Ghost Squad Hackers related to the US Army. The data leakages
published their code on GitHub. targeted ISIS-related platforms on Twitter, contained personal information and email
Telegram, WhatsApp etc. and leaked accounts. In addition, they claimed they
information. shut down the website of the Prime Minister
of Israel (pmo.gov.il).
2016 - 2018 - #OpIndia
June 2016 - #OpKillary
A cyber campaign against Indian websites
and online platforms. Ghost Squad Hackers A cyber campaign against Hillary Clinton.
claimed responsibility for defaceing Indian During June 2016, Ghost Squad Hackers
government and additional websites threatened to leak personal information
between 2016 and 2018. related to Hillary Clinton and claimed
responsibility for shutting down her website
January 2016 - Targeting Ethiopian and additional websites of her funders.
government websites
July 2016 - #OpTurkey
During January 2016, Ghost Squad Hackers
defaced several Ethiopian government A cyber campaign against Turkish government
websites to protest against the violent clashed websites to protest against the Turkish
between students and the security forces. support for ISIS. During July 2016, Ghost
Squad Hackers claimed responsibility for
April 2016 - Targeting KKK shutting down Turkish government websites.
In April 2016, Ghost Squad Hackers
July 2016 - #OpAltonSterling
claimed responsibility for shutting down
a website affiliated with the KKK. A cyber campaign protesting police brutality
after that Alton Sterling, a 37-year-old
May 2016 - #OpTrump black man, was shot at close range by two
A cyber campaign against Donald Trump’s police officers in Baton Rouge, Louisiana
related websites to protest against one of in July 2016. In July 2016, Ghost Squad
his speeches. In May 2016, Ghost Squad Hackers defaced the sub domain of the
Hackers shut down Trump Hotel Collection website of Baton Rouge City.
website for several hours.
July 2016 - #OpKillingBay
May 2016 - #OpIcarus A cyber campaign against websites related
A cyber campaign against the financial to the Sea World industry and countries
sector around the world that was first that hunt sea mammals, such as Japan,
launched in February 2016. Since then, Denmark etc. In July 2016, Ghost Squad
hacktivists have launched several additional Hackers claimed responsibility for shutting
phases of this campaign over the years. down the seaworldparks.com website.
During May 2016, Ghost Squad Hackers
July & August 2016 - #OpAfghan
claimed responsibility for shutting down
A cyber campaign against the government
Worldwide
of Afghanistan to protest against their Russian telecommunication company and Sudanese government and official websites.
political relationship with the USA and shutting down a website of a Russian bank.
against the situation of the Hazaras, a August 2019 - Targeting government
June 2018 - Targeting Canadian websites websites of Ecuador
Shia minority in Afghanistan and Pakistan.
During June 2018, Ghost Squad Hackers During August 2019, Ghost Squad Hackers
During July and August 2016, Ghost
hacked a server and defaced various claimed responsibility for shutting down
Squad Hackers defaced several Afghan
Canadian websites. government websites of Ecuador in order to
government websites and hacked the
Twitter account of Afghanistan’s Chief June2018 -TargetingCubanwebsites protest against Julian Assange’s extradition
Executive Officer Dr. Abdullah Abdullah. in April 2019.
During June 2018, Ghost Squad Hackers
October 2016 - #OpSyria hacked a server and defaced various 2013 2013
Cuban websites. #OpIsrael
A cyber campaign against the Syrian
government to protest against the war June 2018 - Targeting websites of
crimes that were held there. During October Bangladesh government
2016, Ghost Squad Hackers claimed During June 2018, Ghost Squad Hackers
responsibility for shutting down Syrian defaced several websites belong to the
government websites. government of Bangladesh. ### 2018
2014
169
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 135 Cyber Criminal Communication & Objectives _
G
HOST SQUAD Education Ideology
Cyber Terrorist
HACKERS Financial Services
TAG-HA6 Hacktivist
Government Agencies
State Sponsored I nternational
Unknown Organizations
26 Media Language
Military English
Political Organizations
Worldwide
Collection
T1005 - Data from Local System
Impact
T1491 - Defacement
T1498 - Network Denial of Service
171
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 141 Cyber Criminal Financial Services & Objectives _
LORIAN SYNARO Government Agencies Ideology
Cyber Terrorist
@LORIANSYNARO
TAG-HA15 Hacktivist
State Sponsored
Unknown
26 Language
English
DESCRIPTION
Lorian Synaro is a hacktivist threat actor He mainly publishes claims that he had is highly engaged in promoting hacktivist
affiliated with the Anonymous collective. taken offline target websites, although he campaigns and sharing the activities of
He is active since at least March 2018, has also claimed to have defaced multiple his fellow hacktivists.
when he joined Twitter. Lorian Synaro has websites, as well as leaking information
taken part in various hacktivist campaigns. from targeted organizations. In addition, he
Unknown
CAMPAIGNS
2018 - Present - #OpIsrael 2018 - #OpYemen 2019 - #OpHonduras
A pro-Palestinian and anti-Israel cyber A hacktivist cyber operation against Saudi A hacktivist campaign against the allegedly
campaign which occurs annually on April Arabia in protest against the Saudi-led oppressive and tyrannical regime in the
7 since 2013. Lorian Synaro has claimed intervention in Yemen that allegedly resulted country. Lorian Synaro has claimed he had
to have taken offline many Israeli websites, in the starvation of Yemen’s population. taken offline two governmental websites
although he has also taken responsibility for Lorian Synaro has claimed he have taken and defaced one.
defacements and shared some data leaks. offline the website of House of Saud, the
royal family of Saudi Arabia. 2018
2018 - #OpIcarus
#OpIcarus is a hacktivist cyber operation 2018 - #OpGabon 2018-present 2018-present
#OpIsrael #OpNicaragua
launched by Anonymous in 2016 against A hacktivist campaign by Anonymous against
websites and services associated with the Gabonese targets in protest against the 2018
global financial system. Lorian Synaro has alleged ritual killings of Gabonese citizens #OpIcarus
2018
mainly taken responsibility for taking offline and the alleged dictatorship in the country. #OpCatalunya
various websites of financial institutions Lorian Synaro has published various claims #OpCatalonia
2018
and banks. he had taken offline Gabonese websites.
#OpVenezuela
2018
2018 - Present - #OpNicaragua 2018 - #OpCongo #OpKhashoggi,
#OpSaudi,
A hacktivist campaign against the government A hacktivist cyber operation against the #OpSaudiArabia
of Nicaragua in protest against its alleged oppression and dictatorship in Congo, 2018
#OpYemen
repression of protest movements in the according to Lorian Synaro. Lorian Synaro 2018
country. Lorian Synaro is highly active in has published various claims he had taken #OpGabon
this campaign, publishing claims for taking offline Congolese governmental websites. 2018
offline many Nicaraguan governmental #OpCongo
A hacktivist cyber campaign first launched in France. Lorian Synaro has claimed he
2019
in 2017 against Spanish targets in support had taken offline several French websites
of Catalonia’s independence. Lorian as part of this campaign.
Synaro mainly published claims for the
taking offline of various Spanish websites. 2018 - Present - #OpSudan
A cyber campaign that supports the protests
2018 - #OpVenezuela against the Sudanese government. Lorian
A hacktivist campaign against the Venezuelan Synaro was highly active in promoting this
government. Lorian Synaro published campaign and has extensively participated 2019
#OpZimbabwe
several claims that he had taken offline in it. He has taken part in taking offline,
multiple Venezuelan governmental websites defacing and leaking information as part
as part of this campaign. of the campaign, and also shared the
activities of his fellow hacktivists.
2018 - #OpKhashoggi, #OpSaudi, 2019
#OpSaudiArabia 2019 - #OpZimbabwe #OpHonduras
A cyber campaign against Saudi Arabia, that A hacktivist campaign against the government
was launched by Anonymous in October of Zimbabwe. Lorian Synaro has taken
2018 in response to the assassination responsibility for the taking offline of a
of Saudi journalist Jamal Khashoggi in few governmental websites and websites
the Saudi consulate in Istanbul. Lorian of financial organizations in Zimbabwe.
Synaro has published various claims he
had taken offline Saudi websites, and he
also shared some data leaks as part of 2020
the campaign.
173
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 141 Cyber Criminal Financial Services & Objectives _
LORIAN SYNARO Government Agencies Ideology
Cyber Terrorist
@LORIANSYNARO
TAG-HA15 Hacktivist
State Sponsored
Unknown
26 Language
English
Unknown
Collection
T1005 - Data from Local System
Impact
T1491 - Defacement
T1498 - Network Denial of Service
175
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 97 Cyber Criminal Communication & Objectives _
El Machete Defense Cyber espionage
Cyber Terrorist
Machete Energy
TAG-NS1 Hacktivist
Government Agencies
State Sponsored Military
Unknown
Language
25
Spanish
DESCRIPTION
El Machete is a cyber espionage group European countries, USA and Korea. The It is unclear if they are a nation sponsered
that has been active since 2010. They source code of the group's malware, usually group of cybercriminals that sells stolen
usually terget the government and military distributed in sophisticated spear-phishing sensitive information.
sectors in Latin America, but also in several attacks, indicates they are spanish-speakers.
CAMPAIGNS
2010-2014
2010-2014 - Machete targets March - May 2019 - Targeting 2010 Machete targets
intelligence
intelligence services and government military and official institutions in services and
government
2011
institutions in Latin America and Spain Venezuela and Ecuador institutions in Latin
America and Spain
During this campaign, the group distributed During 2019, El Machete continued to 2012
the Machete malware with malicious target high profile targets in Latin America,
PowerPoint presentations and social specifically in Venezuela, where sensitive 2013
engineering techniques that also included information related to the country's military
a fake blog. They attacked Venezuela, and official institutions was stolen, and also 2014
Ecuador, Colombia, Peru, Cuba, Spain in Ecaudor. During this campiagn they used
and Russia, where embassies of Latin a new version of the Machete malware 2015
American countries were detected. that was first detected in April 2018. The
malware was spread by spear-phishing 2016
2017 - Machete cyber espionage attacks, while using real documents that
campaigns have been stolen from previous attacks. 2017 2017
Machete cyber
Machete launch cyber espionage campaigns In addition, they used Radiogramas, espionage
campaigns
against government, utilities and military documents used for communication in 2018
Latin America
177
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 143 Cyber Criminal Administration & Objectives _
Communication
LulzSec Italia Cyber-security Ideology
Cyber Terrorist
LulzSecITA Defense Unpredictable
Hacktivist Education
Lulz Security Italy Government Agencies
TAG-HA1 State Sponsored Healthcare
High-Tech
Unknown Manufacturing
Media Language
25 Military
Pharmaceutical Italian
Political Organizations
Research
Labor Unions
Transportation Assumed origin of the attacker
DESCRIPTION
LulzSec Italia is an Italian hacktivist collective Italia also embraces an anarchist ideology This observation is strengthened by the
that has dominated, alongside with other and conducts attacks for “fun.” Nonetheless, recent alliance established by the group with
groups (e.g. Anonymous Italia, AntiSec we always identify a clear political/social Anonymous Italia, in 2018, a significantly
Italia, and AnonPlus), the Italian hacktivist motive behind the attacks, denoting a more ideology-driven group. With regards
landscape during the past decade. We digression from the mainstream conduct to the types of attacks performed by LulzSec
tracked the activity of the group back to of the global LulzSec movement. In this Italia, the group was observed conducting
2011, when the first attacks against multiple regard, the group also engages in real-life mainly data leaks, defacements, and rarely
Italian universities were registered. In line demonstrations (e.g. OpPaperstormITA). DDoS attacks.
with the global LulzSec movement, LulzSec
CAMPAIGNS
2011 - ongoing - #OpGreenRights February 2018 - Il Messaggero 2011 2011-ongoing 2011-ongoing
#OpGreenRights #OperationItaly
Campaign Attack campaign campaign
Italy
179
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 138 Cyber Criminal Communication & Objectives _
HABIL MOONZ Cyber-security Ideology
Cyber Terrorist
INDONESIALINUXER Government Agencies
MOONZLINUXER Hacktivist
High-Tech
MRMOONZ State Sponsored
TAG-HA13
Unknown
Language
24 English and Indonesian
DESCRIPTION
MrMoonz (Habil Moonz) is an Anonymous and Instagram accounts, he is a student government and financial sectors, he also
affiliated Indonesian hacktivist who describes at the public university, Institut Teknologi carried out a cyber-attack against two
himself as an exploiter, network security Bandung Kampus Jatinangor. During May- ICS systems of Indonesian companies
and pentester that specializes on Linux. June 2019, he targeted the Indonesian via Metasploit commands and promised
He was a member of the hacktivist group government during the #OpIndonesia to cause a blackout.
Rabbit Security Team, which mainly defaced cyber campaign. Moreover, unlike other
websites. Also, according to his Facebook hacktivists that are usually focused on the
CAMPAIGNS
2013 - present - #OpIsrael 21, 2019. MrMoonz pubslihed a target 2013 2013-present
A pro-Palestinian and anti-Israel cyber list of Indonesian government websites and 2014
#OpIsrael
campaign which occurs annually on April DDoS tools. He also took responsibility
7 since 2013. MrMoonz published tweets for shutting down one of the Indonesian 2015
Indonesia
181
Alias _ Threat Actor _ Targeted Sectors _ Motivations
A
NONYMOUS Cyber Criminal Energy & Objectives _
ARGENTINA Energy Ideology
Cyber Terrorist
A
TK 122
Government Agencies
T
AG-HA5 Hacktivist
I nternational
State Sponsored Organizations
Unknown Political Organizations
Language
23 Spanish
DESCRIPTION
Anonymous Argentina is apparently a low- is not very active, and mainly engages campaigns related to South America that
skilled hacktivists group that is associated in minor defacement and data leaks of are carried out by Anonymous groups.
with the Anonymous collective, operating in government-related institutions in South
Argentina since at least 2012. The group America (mainly Argentina), mainly during
CAMPAIGNS
2015 - Present - #OpArgentina hundreds of records containing names, 2015
Argentina
183
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 130 Cyber Criminal Aerospace & Objectives _
FALLAGA TEAM Aviation Ideology
Cyber Terrorist
TAG-CT4 Communication Revenge
Hacktivist Construction
State Sponsored Education
Financial Services
Unknown Government Agencies
Healthcare Language
23
Hospitality Arabic
Media
Political Organizations
Assumed origin of the attacker
DESCRIPTION
Fallaga Team is a Tunisian Islamist hacker were also Fallaga warriors in Algeria. The of the group and use its name and logo.
group. Their goal is to spread the word of character in the group’s logo resembles The group mainly performed defacements,
Islam and help all the Muslims. Fallaga the original Fallaga fighters. According data leaks, and DDoS attacks. The group
Teams claims it not an extension of the to Fallaga Teams’ Facebook page, the was known in its attacks against Israeli
Islamic State (ISIS), although its Facebook group is active since at least July 2010. websites, especially within of #OpIsrael
page states that it shares similar religious Apparently the group is no longer active attacks. However, it attacked multiple
and political ideals. The group is named and it ceased to operate. However, some other websites around the globe.
after the anti-colonial movement that fought threat actors that identified with the group
for the independence of Tunisia, there are still performing cyber attacks behalf
Tunisia
CAMPAIGNS
May 2013 - OpUSA August 2015 - Thai Government 2013
20,000 French websites were attacked During January 2017, Fallga Team defaced
including military websites, small business six National Health Service (NHS) websites
websites, banks and more. as protest against the West’s interference
in the Middle East.
April 2015 - Belgian Website Attack
Fallaga Team attacked the Walloon January 2017 - Australian Websites
Government website, the executive branch Attack
of Wallonia, and part of one of the six During January 2017, the website of the
main governments of Belgium. Treasurer of the Australian state of Victoria Dec-2016
hacked by Fallaga Team in response to Op_zouari
2017
the killing of innocent people in Syria. In
Jan-2017 Jan-2017
addition, number of Australian school and UK NHS Websites Australian
college websites were hacked. Attack Websites Attack
185
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 130 Cyber Criminal Aerospace & Objectives _
FALLAGA TEAM Aviation Ideology
Cyber Terrorist
TAG-CT4 Communication Revenge
Hacktivist Construction
State Sponsored Education
Financial Services
Unknown Government Agencies
Healthcare Language
23
Hospitality Arabic
Media
Political Organizations
Assumed origin of the attacker
Tunisia
187
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 131 Cyber Criminal Administration & Objectives _
RUSSIANSEC Defense Ideology
Cyber Terrorist
@russiansec171 Education
TAG-HA7 Hacktivist
Energy
State Sponsored Food and Agriculture
Unknown Government Agencies
Language
23
Healthcare
Portuguese
Media
Military
Transportation Assumed origin of the attacker
DESCRIPTION
RUSSIANSEC is a group of hacktivists, it linked to operations conducted together and DemonSad3 during #OpIndonesia
in activity since at least June 2019. We with other well-known adversaries such cyber campaign in 2019.
tracked the group’s activity and found that as NewSecGroup, LorianSynaro, BSSNRI
CAMPAIGNS
2019 - #OpSudan June 2019 - #OpIndonesia 2019
2019
On April 5, 2019, the group declared A cyber campaign launched to protest #OpSudan
they have joined #OpSudan - a hacktivist against the violent clashes caused after
cyber campaign against Omar Al-Bashir’s the Indonesian elections (April 17, 2019)
regime in Sudan. On this campaign, and the announcement of the Indonesian
the group targeted multiple Sudanese General Elections Commission on May 21, Jun-2019
Government-related domains and websites 2019. RUSSIANSEC claimed responsibility #OpIndonesia
and claimed responsilbity for DDos attacks for hacking and leaking data of the
and defacement of the attacked websites. Indonesian Armed Forces official website.
Of note, the attacks that were conducted,
were spread over a broad variety of sectors
that involve government activity.
2020
Russia
189
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 134 Cyber Criminal Aviation & Objectives _
FXMSP Cyber-security Personal-gain
Cyber Terrorist
TAG-CRI7 Education
Hacktivist
Energy
State Sponsored Financial Services
Unknown Food and Agriculture
Language
Government Agencies
22 Russian, English
Manufacturing
Retail
Transportation Assumed origin of the attacker
DESCRIPTION
ATK X is a hackers group operating in standing reputation for selling sensitive breaching three top American anti-virus
popular Russian- and English-speaking information from high-profile global companies and offering the exfiltrated
underground communities, in activity since entities, mainly corporate and government data for sale in April 2019.
at least 2017. The group has a long- networks worldwide. It is mostly known for
CAMPAIGNS
October 2018 - Reliance Industries October 2018 - April 2019 - Anti 2018
Russia
191
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 139 Cyber Criminal Financial Services & Objectives _
JTSEC Government Agencies Ideology
Cyber Terrorist
JTSEC3313
JTSEC1333 Hacktivist
JTSEC1 State Sponsored
TAG-HA12
Unknown
Language
20 English, French
DESCRIPTION
JTSEC is a hacktivist threat actor affiliated publishing the results on Pastebin and potential attacker should he decide to
with the Anonymous collective. He is active then sharing them in his personal Twitter target one of them. In addition, he also
at least since the end of 2016. JTSEC has account. The scans are performed for occasionally shares target lists for some
taken part in various hacktivist campaigns reconnaissance purposes, as they retrieve of the campaigns.
over the years. His activity is focused on abundant information about the scanned
scanning websites as part of the campaigns, websites, which can be leveraged by a
Canada
CAMPAIGNS
2016 - Present - #OpDeathEathers 2018 in response to the assassination of 2019 - #OpSudan
Cyber campaign against pedophiles and Saudi journalist Jamal Khashoggi in the Hacktivist campaign against Sudanese
child trafficking networks. Saudi consulate in Istanbul. governmental targets.
2017 - 2017 - #OPBeast 2018 - 2018 - #Op_Tibet
2016
Hacktivist cyber campaign against zoophilia Hacktivist cyber campaign against the
and bestiality. Chinese regime in support of Tibet.
2018 - Present - #OpDomesticTerrorism
2017- 2017 - #OpNazi
Hacktivist cyber campaign against Nazi Hacktivist cyber campaign launched
and White Supremacy organizations. by Anonymous in 2017 against white 2016-present
supremacists and the alt-right targets. #OpDeathEathers
was accused by the Spanish authorities 2018 - Present - #OpIsrael 2017-2017 2017-2017
of attacking Spain’s National Intelligence A pro-Palestinian and anti-Israel cyber #OpBeast #OpNazi
Centre (CNI) during the Catalan elections. campaign which occurs annually on April
2017-2018
2017 - Present - HunterUnit 7 since 2013. OpSpain/#OpEspana
2017-present
Hacktivist cyber campaign against 2018 - Present - #OpKilluminati HunterUnit
pedophiles’ websites. It appears JTSEC 2017-present
Hacktivist campaign against secret societies, #OpIcarus
is the main actor active in this campaign. such as the Freemasonry. 2017-present
2017 - Present - #OpIcarus 2018 - Present - #OpNicaragua
#OpIsis
OpIcarus is a hacktivist cyber operation Hacktivist campaign against the government 2018
launched by Anonymous in 2016 against of Nicaragua in protest against its repression 2018-2018 2018-2018 2018-2018
websites and services associated with the of protest movements in the country. #OpCatalonia #OpFrance #OpJamalKhashoggi
global financial system.
2018 - Present - #OpVenezuela 2018-present
2017 - Present - #OpIsis #OpGabon
2018-present
Hacktivist campaign against the Venezuelan
Hackvitist cyber campaign launched by government. 2018-present
#OpIsrael
193
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 139 Cyber Criminal Financial Services & Objectives _
JTSEC Government Agencies Ideology
Cyber Terrorist
JTSEC3313
JTSEC1333 Hacktivist
JTSEC1 State Sponsored
TAG-HA12
Unknown
Language
20 English, French
Canada
Discovery
T1018 - Remote System Discovery
T1046 - Network Service Scanning
T1063 - Security Software Discovery
T1082 - System Information Discovery
195
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 121 Cyber Criminal Education & Objectives _
CyberGhost404 Financial Services Ideology
Cyber Terrorist
CyberGhost404 Government Agencies
TAG-HA8 Hacktivist
Media
State Sponsored
Unknown
Language
English, Filipino
18
DESCRIPTION
CyberGhost404 is a hacktivist threat actor threat actor has been engaged in several links to the stolen data on Pastebin. On
affiliated with the Anonymous collective. hacktivist campaigns, amongst them one occasion, he has also shared a target
The threat actor has been active at least #OpIsrael, #OpSudan and #OpAssange. list. The threat actor has also claimed to
since March 2018 (when he joined Twitter). He mainly publishes claims he had taken have taken offline additional targets out
The threat actor declares himself as the offline multiple websites, and on several of the context of a hacktivist campaign,
founder of the Filipino hacktivist group occasions, he has claimed to have managed possibly as a display of his capabilities.
dubbed Philippine Cyber Eagles. The to leak data from targeted entities, sharing
CAMPAIGNS
2019 - #OpAssange 2019 - #OpVietnam
Hacktivist campaign targeting the government A hacktivist cyber campaign against the 2018
of Ecuador and targets in the UK in response Vietnamese government and its anti-
to the extradition of WikiLeaks establisher cybercrime authority in retaliation for the
Julian Assange to the authorities in the alleged hacking of many Filipino Facebook
UK. The threat actor has shared a list of accounts by Vietnamese hackers, and in 2018-2019
Ecuadorian governmental websites that demand for their arrest. The threat actor targeting Indian
entities
have been allegedly taken offline, claimed has only shared a link to a target list on
to have taken offline various websites of Pastebin and has not taken responsibility
local councils in the UK, and shared a link for participating in active attacks as part
to an alleged UK local police departments’ of this campaign.
data leak.
2018 - 2019 - targeting Indian entities
2019
2019 - #OpIsrael In November 2018, the threat actor 2019
#OpAssange
A pro-Palestinian and anti-Israel cyber has shared a link to leaked data he
campaign which occurs annually on has extracted from the Indian Institute 2019
April 7 since 2013. The threat actor has of Technology Guwahati, an academic #OpIsrael
claimed to have taken offline several institute situated in the city of Guwahati
2019
Israeli websites. in India. In May 2019, the threat actor #OpSudan
has shared a link to leaked data he has
2019 - #OpSudan extracted from the Cement Corporation 2019
A cyber campaign that supports the protests of India Limited. #OpVietnam
The Philippines
Collection Impact
T1005 - Data from Local System T1498 - Network Denial of Service
197
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK 124 Cyber Criminal Communication & Objectives _
CHUCKLING HELLA Media Personal-satisfaction
Cyber Terrorist
CHUCKLING SQUAD Retail
TAG-HA16 Hacktivist
T
HE CHUCKLING State Sponsored
SQUAD
Unknown
Language
Unknown
0
Assumed origin of the attacker
DESCRIPTION
The chuckling Squad is a group of hackers center workers of a specific mobile phone uploading twits via SMS messages. There
in activity since at least of August 2019. operator, into sim-card swapping. The is little known about the hackers and their
The group has targeted and hacked Twitter sim-card swap is a process that moves motives, yet we assume that their activity
accounts of Youtubers and other social media a phone number from one sim-card to is aimed at gaining notoriety among
influencers. Among the attacked influencers another. If a hacker gained access to an hacking related circles. While conducting
were: @KingBach, @shanedawson, @ account owners’ calls and SMS’s together the attacks, the group opened a Discord
jamescharles, @BigJigglyPanda, @zane, with the account credentials, it allows the channel for discussions related to the
@I_AM_WILDCAT, @AmandaCerny @ attacker to get recovery passcodes if such attacks, the account was suspended,
LyricaLemonade,@Etika and last and were requested. After gaining access to the it might have been intended for future
most known account that was hacked is Twitter accounts, the hackers mostly posted activity involving hackers from the group.
@jack, belonging to Twitter CEO Jack twits of offensive nature with anti-Semitic
Dorsey. It was reported that the attacks and racist character. The hackers uploaded
were executed by tricking or bribing call- the twits via an external service that allows
CAMPAIGNS
None identified
United States
199
Alias _ Threat Actor _ Targeted Sectors _ Motivations
ATK3 Cyber Criminal Aerospace & Objectives _
BUREAU 121 Financial Services Strategic Support
Cyber Terrorist
HIDDEN COBRA Government Agencies
LAZARUS Hacktivist
Media
State Sponsored Military
Unknown
Language
Unknown
DESCRIPTION
Lazarus is not a single Threat Group. It the collect of intellectual properties The Enemy Collapse Sabotage
represents the Bureau 121 which is one helping the development of weapons of Bureau: tasked with information and
of the eight Bureaus associated to the mass destruction or political espionage. psychological warfare.
Reconnaissance General Bureau. The Cyber Terrorism: in 2013 North A cyber operation involves the interaction
Bureau 121 is the primary office tasked Korea conducted disruptive attacks of these different teams. For example, the
with cyber operations. It was reorganized in on South Korean media and financial Operation Bureau define an objective,
September 2016 and it is now composed of: companies (Operation DarkSeoul) and the Office 35 find a useable exploit,
Lab 110: It is the key cyber unit under the was responsible for the Sony hack link to the Unit 31 develop the backdoor and
RGB; it applies cyberattack techniques the movie "The Interview" in November the lure documents with the help of the
to conduct intelligence operations 2014. These attacks occur before the Enemy Collapse Sabotage Bureau to
• Office 98: Primarily collects information 2016 reorganization of the Bureau create efficient spear-phishing document.
on North Korean defectors, organizations 121 that's why we can't tell which Unit The Unit 56 develop C2 software and
that support them, overseas research is currently responsible of disruptive maintains a C2 infrastructure which will
institutes related to North Korea, and operations. be used by the Lab 110, Unit 180 or Unit
university professors in South Korea. Money theft: On of the mission of the 91 to achieve the objective.
• Office 414: Gathers information on Bureau 121 is the collect of liquidity to Due to this configuration, it is expected
overseas government agencies, public finance these cyber activities and the to find tools and infrastructure overlap
agencies, and private companies. DPKR itself. It is done by spreading between the different operation units.
ransomware like the infamous WannaCry
• Office 35: Office concentrated on
which collected $91.000 and through
developing malware, researching and
bank robbery. The cyber bank robbery is
analyzing vulnerabilities, exploits, and
done by infiltration the banking network
hacking tools.
to steal the SWIFT credentials and use
Unit 180: Unit specialized in conducting these credentials to initiate transaction
cyber operations to steal foreign money to an account controlled by the attacker.
from outside North Korea. The most known is Bangladesh Central
Unit 91: Bank Heist in February 2016 allowing
• focuses on cyberattack missions targeting the theft of $81m. This activity is carried
isolated networks, particularly on South on by the Unit 180, which has similar
Korea’s critical national infrastructure objectives than the North Korean threat
such as KHNP and the ROK Ministry group APT38 aka Stardust Chollima or
of National Defense. BlueNoroff.
North Korea
“2019, The All-Purpose Sword: North Korea’s Cyber Operations and Strategies”
https://ccdcoe.org/uploads/2019/06/Art_08_The-All-Purpose-Sword.pdf
201
Index _
ORIGINES TARGETS
Argentina - p. 182 Afghanistan - p. 18, 82, 136, 158, 168
Brazil - p. 148, 150, 140 Africa - p. 108
Canada - p. 192 Algerie - p. 42, 136, 140
China - p. 38, 40, 44, 80, 106, 152, 156 Angola - p. 148
Colombia - p. 88 Argentina - p. 66, 88, 140, 176, 168, 182
France - p. 42, 60 Armenia - p. 18, 66, 72, 82
Gaza Strip - p. 58 Australia - p. 22, 88, 116, 134, 152, 184
India - p. 48 Austria - p. 42, 46, 64, 66, 72
Azerbaijan - p. 14, 26, 64, 66, 72, 82
Indonesia - p. 180
Bahamas - p. 140
Iran - p. 26, 64, 76, 114
Bahrain - p. 64
Italy - p. 144, 178
Bangladesh - p. 48, 50, 72, 140, 158, 168
Latina America - p. 176
Barbados - p. 140
Lebanon - p. 94
Belarus - p. 18, 66, 72, 82, 84
North Korea - p. 50, 68, 200
Belgium - p. 14, 18, 82, 84, 176, 184
Pakistan - p. 50
Bolivia - p. 88, 176
Palestinian National Authority - p. 136
Brazil - p. 18, 50, 88, 176, 140, 144, 148, 150, 158,
Peru - p. 88 162, 168
Russia - p. 14, 18, 30, 34, 72, 84, 100, 116, 162, 188, 190 Bulgaria - p. 18, 66
Saudi Arabia - p. 130 Cambodia - p. 40, 140
Serbia - p. 160 Cameroon - p. 168
South Korea - p. 96 Canada - p. 18, 30, 66, 126, 136, 152, 158, 168, 176
Spain - p. 66 Central African Republic - p. 158
Syria - p. 126 Central Asia - p. 44, 64, 84, 108
The Philippines - p. 158, 196 Ceylin - p. 48
Tunisia - p. 184 Chechnya - p. 14
Ukraine - p. 66 Chile - p. 50, 120, 136
China - p. 18, 22, 42, 44, 48, 66, 88, 94, 96, 104,
United Kingdom - p. 160
120, 136, 152, 158, 176, 192
United States - p. 160, 198
Colombia - p. 88, 140, 148, 162, 176, 190
Unknown - p. 4
6, 54, 56, 82, 92, 104, 108, 112,
Congo - p. 172
120, 164, 172
Costa Rica - p. 140
Venezuela - p. 88
Cuba - p. 176, 168
Vietnam - p. 50
Cyprus - p. 72
Worldwide - p. 134, 168
Czech Republic - p. 14, 66, 72
Democratic Republic of the Congo - p. 42
ATTACKS TYPES Denmark - p. 136
C
yber criminal - Djibouti - p. 136
p. 46, 54, 56, 60, 66, 72, 88, 116, 120, 124, 130, Dominican Republik - p. 88, 158
160, 190, 198 Eastern Asia - p. 38, 120
Hacktivist - Eastern Europe - p. 38, 64
p. 8
8, 96, 130, 140, 144, 148, 150, 158, 162, 168,
172, 178, 180, 182, 184, 188, 192, 198, Ecuador - p. 88, 150, 162, 168, 176, 182, 192, 196
S
tates sponsored - Egypt - p. 58, 112, 134, 136, 158
p. 1
4, 18, 22, 26, 30, 34, 38, 40, 42, 44, 48, 50, 58, Estonia - p. 66
64, 68, 76, 80, 82, 84, 92, 94, 96, 100, 104, 106, Europe - p. 42, 48, 54, 84
108, 112, 114, 124, 136, 152, 156, 164, 176, 200 European Union - p. 140
Terrorist - France - p. 30, 60, 84, 88, 94, 116, 126, 134, 140, 144,
p. 126, 134, 136 152, 158, 162, 172, 176, 184, 192
205
Index _
C
asino and gaming - Labor Unions -
p. 88, 116, 130, 160 p. 178
Communication - Manufacturing -
p. 2
2, 44, 76, 80, 88, 104 , 116, 126, 130, 140, 148, p. 22, 44, 68, 76, 88, 94, 144, 158, 160, 162, 178, 19
156, 168, 176, 178, 180, 184, 198 Maritime and shipbuilding -
Construction - p. 106
p. 184 Media -
Cybersecurity - p. 18, 22, 38, 42, 50, 58, 64, 66, 76, 88, 92, 94, 106
p. 18, 88, 140, 178, 180, 190 112, 126, 130, 134, 136, 144, 150, 152, 160, 168,
178, 184, 188, 196, 198, 200
Defense -
p. 1
4, 18, 38, 44, 58, 64, 76, 84, 88, 94, 96, 104, 106 Military -
126, 134, 136, 140, 144, 150, 152, 156, 158, 162, p. 22, 42, 58, 80, 82, 88, 96, 104, 126, 134, 144,
176, 178, 188 158, 168, 176, 178, 188, 200
Dissident - Naval -
p. 76 p. 22, 40, 44, 88, 134, 144, 160
MOTIVATIONS
Attacks on industrial security systems almost
exclusively with destructive intent -
p. 100, 108
Coercion -
p. 94, 126, 130
Cyber espionage -
p. 26, 34, 42, 82, 176
Data Theft -
p. 42, 84, 104, 156
Dominance -
p. 126, 130
Espionage -
p. 18, 22, 30, 38, 40, 42, 44, 64, 68, 76, 80, 84, 92,
96, 106, 112, 114, 152, 156, 164
Financial gain -
p. 46, 50, 54, 56, 60, 66, 72, 88, 94, 116, 120, 124,
126, 130, 134, 160, 190
Ideology -
p. 58, 88, 94, 126, 134, 136, 140, 144, 148, 150, 162
168, 172, 178, 180, 182, 184, 188, 192, 196
Notoriety -
p. 50, 88, 126, 134
Personal-satisfaction -
p. 130, 140, 158, 198
Political manipulation -
p. 18
Revenge -
p. 126, 130, 134, 184
Sabotage -
p. 34
Startegic support -
p. 200
Unpredictable -
p. 94, 126, 134, 140, 158, 178
207
References _
211
References _
213
References _
215
References _
217
References _
ATK117 ATK124
5/01/2018, TrendMicro, New KillDisk Variant Hits Financial
1 8/2019, Know Your Meme, Chuckling Squad Hacks, https://
0
Organizations in Latin America, https://blog.trendmicro.com/ knowyourmeme.com/memes/events/chuckling-squad-hacks
trendlabs-security-intelligence/new-killdisk-variant-hits-financial-
31/08/2019, BBC, Twitter CEO and co-founder Jack Dorsey has
organizations-in-latin-america/
account hacked, https://www.bbc.com/news/technology-49532244
2/06/2018, Bluvector, Lazarus Group Uses KillDisk as a
1
30/08/2019, BBC, Twitter C.E.O. Jack Dorsey’s Account Hacked,
Distraction for SWIFT Attacks, https://www.bluvector.io/threat-
https://www.nytimes.com/2019/08/30/technology/jack-dorsey-
report-lazarus-group-killdisk-swift/
twitter-account-hacked.html
3/10/2018, FireEye, APT38: Un-Usual Suspects, https://content.
0
24/08/2019, BBC, After Shane Dawson, Hackers Come For
fireeye.com/apt/rpt-apt38
James Charles, https://dankanator.com/26229/after-shane-
5/08/2019, Reuters, North Korea took $2 billion in cyberattacks
0 dawson-hackers-james-charles/
to fund weapons program: U.N. report, https://www.reuters.com/
article/us-northkorea-cyber-un/north-korea-took-2-billion-in-cyber- ATK125
attacks-to-fund-weapons-program-u-n-report-idUSKCN1UV1ZX https://twitter.com/iznaye
ATK120 https://twitter.com/Baronnet_Noir
Dragos, HEXANE, https://dragos.com/resource/hexane/ https://twitter.com/xslncd
7/08/2019, Dell Secureworks, LYCEUM Takes Center Stage
2 https://twitter.com/MrWolf03683135
in Middle East Campaign, https://www.secureworks.com/blog/
14/04/2019, Defcon-lab, Hacktivismo – OpEcuador – Continuação
lyceum-takes-center-stage-in-middle-east-campaign
(2), https://www.defcon-lab.org/hacktivismo-opecuador-
7/08/2019, Threat Post, Oil and Gas Firms Targeted By New
2 continuacao-2/
LYCEUM Threat Group, https://threatpost.com/oil-and-gas-firms-
14/04/2019, Defcon-lab, Hacktivismo – OpEcuador – Continuação
targeted-by-new-lyceum-threat-group/147705/
(3), https://www.defcon-lab.org/hacktivismo-opecuador-
continuacao-3/
ATK121
https://twitter.com/CyberGhost404 01/05/2019, Rogue Media Labs, xS1lenc3d of Iznaye Dumps
+70,000 Customer Emails Online Following Attack on The Forums
https://www.youtube.com/channel/UCqMhJooh1DU1eegH5jSv5gQ of Peugeot France , https://roguemedialabs.com/2019/05/01/
8/04/2019, Records from Over Two Dozens Local Police
1 xs1lenc3d-of-iznaye-dumps-70000-customer-emails-online-
Departments Across The UK Hacked & Leaked Online by following-attack-on-the-forums-of-peugot-france/
CyberGhost404, https://roguemedialabs.com/2019/04/18/
records-from-over-two-dozens-local-police-departments-across- ATK126
the-uk-hacked-leaked-online-by-cyberghost404/ English Dark-Web Forum
06/08/2019, Vietnamnet, Hacker Phillippines tấn công
web Việt Nam, trả đũa việc bị mất Facebook, https:// ATK127
vietnamnet.vn/vn/cong-nghe/bao-mat/hacker-phillippines-tan- https://twitter.com/DemonSad3
cong-web-viet-nam-tra-dua-viec-bi-mat-facebook-556466.html https://www.youtube.com/channel/UCACXA7rvIHzSksCzsH-ED2Q
ATK122 https://pastebin.com/u/DemonSad3
https://www.facebook.com/Anonymous-ARG-448319398567509
ATK128
https://www.facebook.com/OperationArgentina/ 6/06/2016, Tech Crunch, Zuckerberg’s Twitter, Pinterest,
0
https://by-clips.com/channel/UCh52_wDpwZP4tXp97XtKAqg LinkedIn accounts hacked, https://techcrunch.com/2016/06/06/
zuckerbergs-twitter-pinterest-linkedin-accounts-hacked/
https://www.youtube.com/channel/UCSWZ7Q6v6Q7Bi-NymMabCIA
2 7/06/2016, Venture Beat, OurMine hacks Google CEO
https://twitter.com/anonymouswararg Sundar Pichai’s Quora and Twitter accounts , https://venturebeat.
https://twitter.com/AnonymousArgOfi com/2016/06/27/ourmine-hackers-break-into-google-ceo-
sundar-pichais-quora-and-twitter-accounts/
ATK123 14/07/2016, Hacked, Hacking Group OurMine Claim HSBC
https://twitter.com/Anon_ITA Servers Takedown, https://hacked.com/hacking-group-ourmine-
claim-hsbc-servers-takedown/
https://twitter.com/OperationItaly
1 8/07/2016, International Business Times, ‘Pokemon Go’
https://twitter.com/Anon_Otherwise
Servers Brought Down By OurMine DDoS Attack, https://www.
https://www.anon-italy.blogspot.it/ ibtimes.com/pokemon-go-servers-brought-down-ourmine-ddos-
attack-2392273
https://www.youtube.com/channel/UCicIdxizhftaMDXljKPRKRg
26/07/2016, Gizmodo, The Group That Hacked Mark Zuckerberg
http://f7qiyb3e7h2cp3ku.onion
Is Now Going After News Sites, https://gizmodo.com/the-group-
1/05/2015, La Stampa, Il blitz della postale contro Anonymous:
2 that-hacked-mark-zuckerberg-is-now-going-afte-1784308701
i dettagli, https://www.lastampa.it/tecnologia/2015/05/21/news/
28/08/2016, BuzzFeed, Hackers Gain Access To Uber CEO
il-blitz-della-postale-contro-anonymous-i-dettagli-1.35264323
Travis Kalanick’s Twitter, https://www.buzzfeednews.com/
1/12/2018, Edoardo Limone, Cyber Attacchi in Italia: un
1 article/josephbernstein/hackers-gain-access-to-uber-ceo-travis-
calendario e tante riflessioni, https://www.edoardolimone. kalanicks-twitter
com/blog/2018/12/11/cyber-attacchi-in-italia-un-calendario-
04/10/2016,BuzzFeed , This Saudi Teen Is Probably Behind The
e-tante-riflessioni/
Hacks Of Dozens Of Tech CEOs And Celebrities, https://www.
buzzfeednews.com/article/josephbernstein/this-saudi-teen-is-
probably-behind-the-hacks-of-dozens-of-te
221
References _
223
References _
ATK143
https://twitter.com/LulzSec_ITA
https://www.facebook.com/lulzsecitalia
http://lulzsec-news.blogspot.com
ttacks time line: https://www.edoardolimone.com/calendario-
A
attacchi/
7/07/2011, Roma Today, Attacco hacker: Frati tranquillizza
0
studenti e professori, https://nomentano.romatoday.it/san-lorenzo/
attacco-hacker-rettore-frati-la-sapienza.html
2/02/2018, ADNkronos, Anonymous attacca Salvini:
2
online 70mila mail, https://www.adnkronos.com/fatti/
politica/2018/02/22/anonymous-attacca-salvini-online-mila-
mail_vTaL8s86sduCGDCAaJQWTK.html
9/03/2018, AGI, Precisazione della precisazione. Il doppio
0
salto mortale del Miur sull’attacco hacker, https://www.agi.it/
blog-italia/cybersecurity/attacco_hacker_miur_replica-3608917/
post/2018-03-09/
5/03/2018, Edoardo Limone, Intervista a LulzSecITA su
1
OpPaperStormITA di Anonymous, https://www.edoardolimone.
com/blog/2018/03/15/intervista-a-lulzsec-su-oppaperstorm-
di-anonymous/
5/03/2018, Startup Italia, Anonymous torna alle origini e invita
1
all’azione contro corruzione e povertà, https://cybersecurity.
startupitalia.eu/60736-20180315-anonymous-contro-corruzione-
poverta
6/09/2018, La Repubblica, Anonymous torna a colpire: dopo
1
i sindacati hackerati ora i dati di militari in congedo, https://
www.repubblica.it/tecnologia/sicurezza/2018/09/16/news/
anonymous_italia_torna_a_colpire_dopo_scuola_e_sindacato_
hackerati_i_dati_dei_militari_in_congedo-206626543/
5/11/2018, Edoardo Limone, Fine della settimana nera:
0
tiriamo un bilancio degli attacchi, https://www.edoardolimone.
com/blog/2018/11/05/fine-della-settimana-nera-tiriamo-un-
bilancio-degli-attacchi/
5/11/2018, La Repubblica, Nuovo attacco di Anonymous
0
Italia: diffusi i dati di ministeri e polizia, https://www.repubblica.
it/tecnologia/sicurezza/2018/11/05/news/nuovo_attacco_di_
anonymous_italia_diffusi_i_dati_di_ministeri_e_polizia-210845817/
1/12/2018, Edoardo Limone, Cyber Attacchi in Italia: un
1
calendario e tante riflessioni, https://www.edoardolimone.
com/blog/2018/12/11/cyber-attacchi-in-italia-un-calendario-
e-tante-riflessioni/
3/01/2019, La Repubblica, Morti sul lavoro, la protesta di
1
Anonymous: hackerati i siti delle agenzie per il lavoro, https://
www.repubblica.it/cronaca/2019/01/13/news/morti_sul_lavoro_
la_protesta_di_anonymous_hackerati_i_siti_delle_agenzie_per_
il_lavoro-216468315/
8/03/2019, AGI, Gli hacker hanno ‘bucato’ la Motorizzazione
0
di Roma, https://www.repubblica.it/cronaca/2019/01/13/news/
morti_sul_lavoro_la_protesta_di_anonymous_hackerati_i_siti_
delle_agenzie_per_il_lavoro-216468315/
2/06/2019, AGI, Il collettivo hacker LulzSec colpisce ancora,
2
https://www.agi.it/cronaca/hacker_lulzsec_attacco-5705454/
news/2019-06-22/
225
Notes _