2 -
Threat Groups & Threat Intelligence |
for best
viewing this tab should be set at a size of 75% |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return to main |
|
Threat
Group Sources |
|
APTNotes - Github Repo |
https://github.com/kbandla/APTnotes |
|
1 |
https://www.fireeye.com/current-threats/apt-groups.html |
9 |
https://threatconnect.com/free/ |
|
APTNotes - Website |
https://aptnotes.malwareconfig.com/ |
|
2 |
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections |
10 |
https://securelist.com/tag/apt |
<-Kaspersky |
|
Targeted Cyber Attacks Logbook
(Kaspersky) |
https://apt.securelist.com/ |
|
3 |
https://attack.mitre.org/groups/ |
|
11 |
https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid=361554658 |
<-Includes APT cross reference |
scroll right to see toolsets,
targets, modes, comments and additional links; scroll down to see authors |
|
Cyber Campaigns |
http://cybercampaigns.net/ |
|
4 |
https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf |
12 |
https://otx.alienvault.com/browse/adversaries |
|
(Slides) Cyber Espionage
Nation-State APT Attacks on the Rise |
http://www.slideshare.net/Cyphort/cyber-espionage-nation-stateaptattacksontherise |
|
5 |
https://icitech.org |
|
13 |
https://github.com/kbandla/APTnotes |
|
(Slides) CrowdCasts Monthly:
You Have an Adversary Problem |
http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem |
|
6 |
https://www.secureworks.com/research/threat-profiles |
14 |
https://threatminer.org |
|
CrowdStrike Blog |
http://www.crowdstrike.com/blog/ |
|
7 |
MITRE Links to
APTs in this spreadsheet |
|
15 |
https://www.fbi.gov/wanted/cyber |
|
Securelist.com Blog (Kaspersky) |
https://securelist.com/ |
|
8 |
IP reputation Feed: IPs to
block |
|
16 |
https://theintercept.com/technology/ |
|
|
|
|
|
|
|
17 |
https://electrospaces.blogspot.com |
|
|
|
|
Sample
Threat Groups |
|
|
|
Cyber Operations by CFR |
https://www.cfr.org/interactive/cyber-operations |
|
|
Name |
Country |
|
|
|
Symantec Health Care Attacks |
https://www.symantec.com/content/dam/symantec/docs/reports/istr-healthcare-2017-en.pdf |
|
|
Carabank / Fin7 |
Spain |
|
FireEye Threat Actors |
https://www.fireeye.com/current-threats/apt-groups.html |
|
|
Bureau 121 |
North Korea |
|
MITRE ATT&CK Groups |
https://attack.mitre.org/wiki/Groups |
|
|
PLA Unit 61398 |
Chinese |
|
APT_CyberCriminal_Campagin_Collections |
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections |
|
|
TEMP.Periscope |
Chinese |
|
Dragos' Adversary Groups (ICS
Specialists) |
https://dragos.com/adversaries.html |
|
|
APT 3, APT4, APT17 |
Chinese |
|
ClearSky Raw Threat Intel |
https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXB85f6VL_Zm79wtTK59xADKh6MG0G7hSBZi8cPOiQVWAIie0/pub |
|
|
APT28 Fancy Bear |
Russian |
|
|
Cozy Bear |
Russian |
|
|
|
|
TAO Equation Group |
USA |
|
|
Sandworm/Electrum |
Russian |
|
|
Tarh Andishan |
Iran |
|
|
Energetic Bear, Dragonfly,
Crouching Yeti |
Russian |
|
|
Snowglobe, Animal Farm |
French |
|
[back to top] |
|
|
|
|
Attack
Groups; Advanced Persistent Threat (APT) Groups |
|
|
See MITRE links starting at
A127 |
|
|
Attack groups
from https://icitech.org |
|
|
Agent.btz, allshell campaign, anchor panda, Anger Bear/ Berserk Bear,APT, APT 1, apt 10, apt 12, apt 16, apt 18, APT 2, APT 28/ Sofacy Group/ Sednit Group/ Tsar Team/ Fancy Bear/
Operation Pawnstorm/ Group 74/ Strontium/ Operation Russian Doll, apt 3, apt 9, apt advisory, APT29/ Hammertoss/ Group
100 / Minidionis, Attribution, Axiom,Berserk Bear, blue termite, boing-job, Boulder Bear, breach, BuhTrap, c0d0so0, Carbanak/ Carbon Spider/
Anunak/ Operation Odinaff,Carberb/ Operation Moonlight Maze, China, CloudDuke/ MiniDionis/ CloudLook, codoso, CosmicDuke/ Tinybaron/ BotgenStudios/ NemesisGemina, CozyDuke/ CozyCar/
CozyBear/ Office Monkeys/ Cozer/ EuroAPT, Cyber Berkut, cyber mercenary, Cyber-Jihad, Deep Panda, derusbi, downmicrosoft, dtl, elderwood project, eloquent panda, Energetic Bear/ Dragonfly/ Havex Crouching Yeti/ Koala Team/
Group 24, exploit
kit, FSB 16th
& 18th Centers/ Operation Armageddon, GeminiDuke, google-blogspot campaign, Grizzly Steppe, hack,hail-mary
threat actor, Hellsing, Hidden Lynx, hurricane panda, icefrog, ICIT, indicator of comprimise, institute for critical
infrastructure technology, IoC, James Scott, Know Your Enemies 3.0, lotus blossom, luckme, MiniDuke, Mirage, naikon, nation state, nettraveler, night dragon, North Korea, oceanloatus, OnionDuke, Operation Inception, Operation Red October/ Operation Cloud Atlas, packets campaign,patchwork, PinchDuke, piping, Project Sauron, ru.pad62, RUAG Espionage Case (via
GovCERT), Russia, Sandworm/ Quedagh/
BlackEnergy/ TEMP.Noble, ScarCruft/ Operation Daybreak/ Operation Erebus, SeaDuke/ SeaDaddy/ SeaDask, Shark Spider, stone panda,suckfly, sunshop digital quartermaster group, sunshop group, TeamSpy/ TeamSpy Crew, Union Spider, updat1, Uroburos / Epic Turla/ Snake / SnakeNet/ Venomous Bear/ Group
88/ Waterbug/ Turla Team/ Satellite Turla/ The 'Penquin' Turla/ Operation
Witchcoven |
|
Agent.btz |
|
|
allshell campaign |
|
|
|
|
anchor panda |
|
|
|
|
Anger Bear/ Berserk Bear |
|
|
|
|
APT 1 |
PLA Unit 61398 is the Military Unit Cover Designator of a People's Liberation Army advanced
persistent threat unit that has been alleged to be a source of Chinese
computer hacking attacks. |
China |
|
|
APT 2 |
Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th
Bureau of the PLA’s 3rd General Staff Department (GSD) |
China |
|
|
APT 3 |
APT3 is a China-based threat group that researchers have attributed to China's Ministry of
State Security.This group is responsible for the campaigns known as Operation
Clandestine Fox, Operation Clandestine Wolf, and Operation Double
Tap. As of June 2015, the group appears to have shifted from targeting
primarily US victims to primarily political organizations in Hong Kong. |
China |
|
|
|
|
|
|
China aka Stone Panda, MenuPass |
|
|
|
APT 12 |
|
China |
|
|
APT 16 |
|
China |
|
|
APT 18 |
|
|
|
|
APT 28 / Russian /Sofacy Group/ Sednit Group/ Tsar Team/ Fancy Bear/ Operation Pawnstorm/ Group 74/
Strontium/ Operation Russian Doll |
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf |
Russia |
|
|
APT 29 / Hammertoss/ Group 100 / Minidionis |
|
Russia |
|
|
|
|
|
|
APT 39 / Iran |
|
|
|
|
|
|
|
Attribution SOURCE:icitech |
These refs at icitech
site is no longer active |
[back to top] |
|
|
Axiom,Berserk
Bear |
|
|
blue termite |
|
|
boing-job |
|
|
Boulder Bear |
|
|
breach |
|
|
BuhTrap |
|
|
c0d0so0 |
|
|
Carbanak/ Carbon Spider/
Anunak/ Operation Odinaff,Carberb/
Operation Moonlight Maze |
|
|
China |
|
|
CloudDuke/ MiniDionis/ CloudLook |
|
|
codoso |
|
|
CosmicDuke/ Tinybaron/ BotgenStudios/ NemesisGemina |
|
|
CozyDuke/ CozyCar/ CozyBear/ Office Monkeys/ Cozer/ EuroAPT |
|
|
Cyber Berkut |
|
|
cyber mercenary |
|
|
Cyber-Jihad |
|
|
Deep
Panda |
|
|
derusbi |
|
|
downmicrosoft |
|
|
dtl |
|
|
elderwood project |
|
|
eloquent panda |
|
|
Energetic Bear/ Dragonfly/ Havex Crouching Yeti/ Koala Team/
Group 24 |
|
|
exploit
kit |
|
|
FSB 16th & 18th Centers/ Operation Armageddon |
|
|
GeminiDuke |
|
|
google-blogspot campaign |
|
|
Grizzly Steppe |
|
|
hack,hail-mary
threat actor |
|
|
Hellsing |
|
|
Hidden
Lynx |
|
|
hurricane panda |
|
|
icefrog |
|
|
ICIT |
|
|
indicator of comprimise |
|
|
institute for critical infrastructure technology |
|
|
IoC |
|
|
James
Scott |
|
|
Know Your Enemies 3.0 |
|
|
lotus blossom |
|
|
luckme |
|
|
MiniDuke |
|
|
Mirage |
|
|
naikon |
|
|
nation state |
|
|
nettraveler |
|
|
night dragon |
|
|
North
Korea |
|
|
oceanloatus |
|
|
OilRig |
|
|
OnionDuke |
|
|
Operation Inception |
|
|
Operation Red October/ Operation Cloud Atlas |
|
|
packets campaign,patchwork |
|
|
PinchDuke |
|
|
piping |
|
|
Project Sauron |
|
|
ru.pad62 |
|
|
RUAG Espionage Case (via GovCERT) |
|
|
Russia |
|
|
Sandworm/ Quedagh/ BlackEnergy/ TEMP.Noble |
|
|
ScarCruft/ Operation Daybreak/ Operation Erebus |
|
|
SeaDuke/ SeaDaddy/ SeaDask |
|
|
Shark Spider |
|
|
stone panda,suckfly |
|
|
sunshop digital quartermaster group |
|
|
sunshop group |
|
|
TeamSpy/ TeamSpy Crew |
|
|
Union Spider |
|
|
updat1 |
|
|
Uroburos / Epic Turla/ Snake / SnakeNet/ Venomous Bear/
Group 88/ Waterbug/ Turla Team/ Satellite Turla/ The 'Penquin' Turla/
Operation Witchcoven |
|
|
XENOTIME |
|
|
Early
Hackers |
|
|
|
[back to top] |
https://en.wikipedia.org/wiki/Category:American_computer_criminals |
|
|
|
https://en.wikipedia.org/wiki/Roman_Seleznev |
|
|
|
|
https://en.wikipedia.org/wiki/Max_Butler |
|
|
|
|
https://en.wikipedia.org/wiki/Kevin_Poulsen |
|
|
|
|
https://en.wikipedia.org/wiki/Kevin_Mitnick |
|
|
MITRE |
Threat Groups (110 groups) |
[back] |
|
|
|
|
Suspected Source |
|
|
Overview |
|
1 |
admin@338 |
|
2 |
APT-C-36 |
|
3 |
APT1 |
|
4 |
APT3 |
|
5 |
APT12 |
|
6 |
APT16 |
|
7 |
APT17 |
|
8 |
APT18 |
|
9 |
APT19 |
Russia |
|
10 |
APT28 |
Russia |
|
11 |
APT29 |
|
12 |
APT30 |
|
13 |
APT32 |
|
14 |
APT33 |
|
15 |
APT37 |
|
16 |
APT38 |
|
17 |
APT39 |
|
18 |
APT41 |
|
19 |
Axiom |
|
20 |
BlackOasis |
|
21 |
BlackTech |
|
22 |
Blue
Mockingbird |
|
23 |
Bouncing Golf |
|
24 |
BRONZE BUTLER |
|
25 |
Carbanak |
|
26 |
Charming
Kitten |
|
27 |
Chimera |
|
28 |
Cleaver |
|
29 |
Cobalt Group |
|
30 |
CopyKittens |
|
31 |
Dark Caracal |
|
32 |
Darkhotel |
|
33 |
DarkHydrus |
|
34 |
DarkVishnya |
|
35 |
Deep Panda |
|
36 |
Dragonfly |
|
37 |
Dragonfly 2.0 |
|
38 |
DragonOK |
|
39 |
Dust Storm |
|
40 |
Elderwood |
|
41 |
Equation |
|
42 |
FIN10 |
|
43 |
FIN4 |
|
44 |
FIN5 |
|
45 |
FIN6 |
|
46 |
FIN7 |
|
47 |
FIN8 |
|
48 |
Frankenstein |
|
49 |
Gallmaker |
|
50 |
Gamaredon
Group |
|
51 |
GCMAN |
|
52 |
GOLD
SOUTHFIELD |
|
53 |
Gorgon Group |
|
54 |
Group5 |
|
55 |
Honeybee |
|
56 |
Inception |
|
57 |
Ke3chang |
|
58 |
Kimsuky |
|
59 |
Lazarus Group |
|
60 |
Leafminer |
|
61 |
Leviathan |
|
62 |
Lotus Blossom |
|
63 |
Machete |
|
64 |
Magic Hound |
|
65 |
menuPass |
|
66 |
Moafee |
|
67 |
Mofang |
|
68 |
Molerats |
|
69 |
MuddyWater |
|
70 |
Naikon |
|
71 |
NEODYMIUM |
|
72 |
Night Dragon |
|
73 |
OilRig |
|
74 |
Orangeworm |
|
75 |
Patchwork |
|
76 |
PittyTiger |
|
77 |
PLATINUM |
|
78 |
Poseidon Group |
|
79 |
PROMETHIUM |
|
80 |
Putter Panda |
|
81 |
Rancor |
|
82 |
Rocke |
|
83 |
RTM |
|
84 |
Sandworm Team |
|
85 |
Scarlet Mimic |
|
86 |
Sharpshooter |
|
87 |
Silence |
|
88 |
SilverTerrier |
|
89 |
Soft Cell |
|
90 |
Sowbug |
|
91 |
Stealth Falcon |
|
92 |
Stolen Pencil |
|
93 |
Strider |
|
94 |
Suckfly |
|
95 |
TA459 |
|
96 |
TA505 |
|
97 |
Taidoor |
|
98 |
Taj Mahal |
https://threatpost.com/meet-tajmahal/143644/ |
|
99 |
TEMP.Veles |
|
100 |
The White
Company |
|
101 |
Threat
Group-1314 |
|
102 |
Threat
Group-3390 |
|
103 |
Thrip |
|
104 |
Tropic Trooper |
SE Asian Targets |
|
https://www.trendmicro.com/en_us/research/20/e/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments.html |
|
105 |
Turla |
Russian |
|
106 |
Whitefly |
|
107 |
Windshift |
|
108 |
Winnti Group |
|
109 |
WIRTE |
|
110 |
Wizard Spider |
|
|
Home |
|
|
Groups |
|
|
|
|
|
Groups |
[back to top] |
|
|
|
|
|
|
Groups are sets of related intrusion activity that are tracked
by a common name in the security community. Analysts track clusters of
activities using various analytic methodologies and terms such as threat
groups, activity groups, threat actors, intrusion sets, and campaigns. Some
groups have multiple names associated with similar activities due to various
organizations tracking similar activities by different names. Organizations'
group definitions may partially overlap with groups designated by other
organizations and may disagree on specific activity. |
|
|
For the purposes of the Group pages, the MITRE ATT&CK team
uses the term Group to refer to any of the above designations for a cluster
of adversary activity. The team makes a best effort to track overlaps between
names based on publicly reported associations, which are designated as
“Associated Groups” on each page (formerly labeled “Aliases”), because we
believe these overlaps are useful for analyst awareness. We do not represent
these names as exact overlaps and encourage analysts to do additional
research. |
|
|
Groups are mapped to publicly reported technique use and
original references are included. The information provided does not represent
all possible technique use by Groups, but rather a subset that is available
solely through open source reporting. Groups are also mapped to reported
Software used, and technique use for that Software is tracked separately on
each Software page. |
|
|
|
|
|
Groups: 109 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|