2 - Threat Groups & Threat Intelligence for best viewing this tab should be set at a size of 75%
return to main
Threat Group Sources APTNotes - Github Repo https://github.com/kbandla/APTnotes
1 https://www.fireeye.com/current-threats/apt-groups.html 9 https://threatconnect.com/free/ APTNotes - Website https://aptnotes.malwareconfig.com/
2 https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections 10  https://securelist.com/tag/apt   <-Kaspersky Targeted Cyber Attacks Logbook (Kaspersky) https://apt.securelist.com/
3 https://attack.mitre.org/groups/ 11 https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid=361554658 <-Includes APT cross reference  scroll right to see toolsets, targets, modes, comments and additional links; scroll down to see authors Cyber Campaigns http://cybercampaigns.net/
4 https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf 12 https://otx.alienvault.com/browse/adversaries (Slides) Cyber Espionage Nation-State APT Attacks on the Rise http://www.slideshare.net/Cyphort/cyber-espionage-nation-stateaptattacksontherise
5 https://icitech.org  13 https://github.com/kbandla/APTnotes   (Slides) CrowdCasts Monthly: You Have an Adversary Problem http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem
6 https://www.secureworks.com/research/threat-profiles 14 https://threatminer.org CrowdStrike Blog http://www.crowdstrike.com/blog/
7 MITRE Links to APTs in this spreadsheet 15 https://www.fbi.gov/wanted/cyber  Securelist.com Blog (Kaspersky) https://securelist.com/
8 IP reputation Feed: IPs to block 16 https://theintercept.com/technology/    
17 https://electrospaces.blogspot.com    
Sample Threat Groups Cyber Operations by CFR https://www.cfr.org/interactive/cyber-operations
Name Country  
Symantec Health Care Attacks https://www.symantec.com/content/dam/symantec/docs/reports/istr-healthcare-2017-en.pdf
Carabank / Fin7 Spain FireEye Threat Actors https://www.fireeye.com/current-threats/apt-groups.html
Bureau 121 North Korea MITRE ATT&CK Groups https://attack.mitre.org/wiki/Groups
PLA Unit 61398 Chinese APT_CyberCriminal_Campagin_Collections https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
TEMP.Periscope Chinese Dragos' Adversary Groups (ICS Specialists) https://dragos.com/adversaries.html
APT 3, APT4, APT17 Chinese ClearSky Raw Threat Intel https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXB85f6VL_Zm79wtTK59xADKh6MG0G7hSBZi8cPOiQVWAIie0/pub
APT28 Fancy Bear Russian
Cozy Bear Russian
TAO Equation Group USA
Sandworm/Electrum Russian
Tarh Andishan Iran
Energetic Bear, Dragonfly, Crouching Yeti Russian
Snowglobe, Animal Farm French [back to top]
Attack Groups; Advanced Persistent Threat (APT) Groups
See MITRE links starting at A127
Attack groups from https://icitech.org 
Agent.btzallshell campaignanchor pandaAnger Bear/ Berserk Bear,APTAPT 1apt 10apt 12apt 16apt 18APT 2APT 28/ Sofacy Group/ Sednit Group/ Tsar Team/ Fancy Bear/ Operation Pawnstorm/ Group 74/ Strontium/ Operation Russian Dollapt 3apt 9apt advisoryAPT29/ Hammertoss/ Group 100 / MinidionisAttributionAxiom,Berserk Bearblue termiteboing-jobBoulder BearbreachBuhTrapc0d0so0Carbanak/ Carbon Spider/ Anunak/ Operation Odinaff,Carberb/ Operation Moonlight MazeChinaCloudDuke/ MiniDionis/ CloudLookcodosoCosmicDuke/ Tinybaron/ BotgenStudios/ NemesisGeminaCozyDuke/ CozyCar/ CozyBear/ Office Monkeys/ Cozer/ EuroAPTCyber Berkutcyber mercenaryCyber-JihadDeep Pandaderusbidownmicrosoftdtlelderwood projecteloquent pandaEnergetic Bear/ Dragonfly/ Havex Crouching Yeti/ Koala Team/ Group 24exploit kitFSB 16th & 18th Centers/ Operation ArmageddonGeminiDukegoogle-blogspot campaignGrizzly Steppehack,hail-mary threat actorHellsingHidden Lynxhurricane pandaicefrogICITindicator of comprimiseinstitute for critical infrastructure technologyIoCJames ScottKnow Your Enemies 3.0lotus blossomluckmeMiniDukeMiragenaikonnation statenettravelernight dragonNorth KoreaoceanloatusOnionDukeOperation InceptionOperation Red October/ Operation Cloud Atlaspackets campaign,patchworkPinchDukepipingProject Sauronru.pad62RUAG Espionage Case (via GovCERT)RussiaSandworm/ Quedagh/ BlackEnergy/ TEMP.NobleScarCruft/ Operation Daybreak/ Operation ErebusSeaDuke/ SeaDaddy/ SeaDaskShark Spiderstone panda,suckflysunshop digital quartermaster groupsunshop groupTeamSpy/ TeamSpy CrewUnion Spiderupdat1Uroburos / Epic Turla/ Snake / SnakeNet/ Venomous Bear/ Group 88/ Waterbug/ Turla Team/ Satellite Turla/ The 'Penquin' Turla/ Operation Witchcoven
Agent.btz
allshell campaign
anchor panda
Anger Bear/ Berserk Bear 
APT 1 PLA Unit 61398 is the Military Unit Cover Designator of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks. China
APT 2  Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD) China
APT 3 APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. China
China aka Stone Panda, MenuPass
APT 12 China
APT 16 China
APT 18
APT 28 / Russian /Sofacy Group/ Sednit Group/ Tsar Team/ Fancy Bear/ Operation Pawnstorm/ Group 74/ Strontium/ Operation Russian Doll https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf Russia
APT 29 / Hammertoss/ Group 100 / Minidionis Russia
APT 39 / Iran
Attribution  SOURCE:icitech These refs at icitech site is no longer active [back to top]
Axiom,Berserk Bear
blue termite
boing-job
Boulder Bear
breach
BuhTrap
c0d0so0
Carbanak/ Carbon Spider/ Anunak/ Operation Odinaff,Carberb/ Operation Moonlight Maze
China
CloudDuke/ MiniDionis/ CloudLook
codoso
CosmicDuke/ Tinybaron/ BotgenStudios/ NemesisGemina
CozyDuke/ CozyCar/ CozyBear/ Office Monkeys/ Cozer/ EuroAPT
Cyber Berkut
cyber mercenary
Cyber-Jihad
Deep Panda
derusbi
downmicrosoft
dtl
elderwood project
eloquent panda
Energetic Bear/ Dragonfly/ Havex Crouching Yeti/ Koala Team/ Group 24
exploit kit
FSB 16th & 18th Centers/ Operation Armageddon
GeminiDuke
google-blogspot campaign
Grizzly Steppe
hack,hail-mary threat actor
Hellsing
Hidden Lynx
hurricane panda
icefrog
ICIT
indicator of comprimise
institute for critical infrastructure technology
IoC
James Scott
Know Your Enemies 3.0
lotus blossom
luckme
MiniDuke
Mirage
naikon
nation state
nettraveler
night dragon
North Korea
oceanloatus
OilRig
OnionDuke
Operation Inception
Operation Red October/ Operation Cloud Atlas
packets campaign,patchwork
PinchDuke
piping
Project Sauron
ru.pad62
RUAG Espionage Case (via GovCERT)
Russia
Sandworm/ Quedagh/ BlackEnergy/ TEMP.Noble
ScarCruft/ Operation Daybreak/ Operation Erebus
SeaDuke/ SeaDaddy/ SeaDask
Shark Spider
stone panda,suckfly
sunshop digital quartermaster group
sunshop group
TeamSpy/ TeamSpy Crew
Union Spider
updat1
Uroburos / Epic Turla/ Snake / SnakeNet/ Venomous Bear/ Group 88/ Waterbug/ Turla Team/ Satellite Turla/ The 'Penquin' Turla/ Operation Witchcoven 
XENOTIME
Early Hackers
[back to top] https://en.wikipedia.org/wiki/Category:American_computer_criminals
https://en.wikipedia.org/wiki/Roman_Seleznev
https://en.wikipedia.org/wiki/Max_Butler
https://en.wikipedia.org/wiki/Kevin_Poulsen
https://en.wikipedia.org/wiki/Kevin_Mitnick
MITRE Threat Groups (110 groups) [back]
Suspected Source
Overview
1 admin@338
2 APT-C-36
3 APT1
4 APT3
5 APT12
6 APT16
7 APT17
8 APT18
9 APT19 Russia
10 APT28 Russia
11 APT29
12 APT30
13 APT32
14 APT33
15 APT37
16 APT38
17 APT39
18 APT41
19 Axiom
20 BlackOasis
21 BlackTech
22 Blue Mockingbird
23 Bouncing Golf
24 BRONZE BUTLER
25 Carbanak
26 Charming Kitten
27 Chimera
28 Cleaver
29 Cobalt Group
30 CopyKittens
31 Dark Caracal
32 Darkhotel
33 DarkHydrus
34 DarkVishnya
35 Deep Panda
36 Dragonfly
37 Dragonfly 2.0
38 DragonOK
39 Dust Storm
40 Elderwood
41 Equation
42 FIN10
43 FIN4
44 FIN5
45 FIN6
46 FIN7
47 FIN8
48 Frankenstein
49 Gallmaker
50 Gamaredon Group
51 GCMAN
52 GOLD SOUTHFIELD
53 Gorgon Group
54 Group5
55 Honeybee
56 Inception
57 Ke3chang
58 Kimsuky
59 Lazarus Group
60 Leafminer
61 Leviathan
62 Lotus Blossom
63 Machete
64 Magic Hound
65 menuPass
66 Moafee
67 Mofang
68 Molerats
69 MuddyWater
70 Naikon
71 NEODYMIUM
72 Night Dragon
73 OilRig
74 Orangeworm
75 Patchwork
76 PittyTiger
77 PLATINUM
78 Poseidon Group
79 PROMETHIUM
80 Putter Panda
81 Rancor
82 Rocke
83 RTM
84 Sandworm Team
85 Scarlet Mimic
86 Sharpshooter
87 Silence
88 SilverTerrier
89 Soft Cell
90 Sowbug
91 Stealth Falcon
92 Stolen Pencil
93 Strider
94 Suckfly
95 TA459
96 TA505
97 Taidoor
98 Taj Mahal https://threatpost.com/meet-tajmahal/143644/
99 TEMP.Veles
100 The White Company
101 Threat Group-1314
102 Threat Group-3390
103 Thrip
104 Tropic Trooper SE Asian Targets https://www.trendmicro.com/en_us/research/20/e/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments.html
105 Turla Russian
106 Whitefly
107 Windshift
108 Winnti Group
109 WIRTE
110 Wizard Spider
Home
Groups
Groups [back to top]
Groups are sets of related intrusion activity that are tracked by a common name in the security community. Analysts track clusters of activities using various analytic methodologies and terms such as threat groups, activity groups, threat actors, intrusion sets, and campaigns. Some groups have multiple names associated with similar activities due to various organizations tracking similar activities by different names. Organizations' group definitions may partially overlap with groups designated by other organizations and may disagree on specific activity.
For the purposes of the Group pages, the MITRE ATT&CK team uses the term Group to refer to any of the above designations for a cluster of adversary activity. The team makes a best effort to track overlaps between names based on publicly reported associations, which are designated as “Associated Groups” on each page (formerly labeled “Aliases”), because we believe these overlaps are useful for analyst awareness. We do not represent these names as exact overlaps and encourage analysts to do additional research.
Groups are mapped to publicly reported technique use and original references are included. The information provided does not represent all possible technique use by Groups, but rather a subset that is available solely through open source reporting. Groups are also mapped to reported Software used, and technique use for that Software is tracked separately on each Software page.
Groups: 109