December 8, 2024
Country: Russia
Organization: Federal Security Service (FSB) Center 16 and 18
Objective: Information Theft, Espionage
Page last updated: December 12, 2024
Aliases:
ACTINIUM (formerly used by Microsoft)
ARMAGEDON [sic] (Security Service of Ukraine (SSU) )
Aqua Blizzard (Microsoft )
BlueAlpha (Recorded Future )
Blue Otso (PwC)
Gamaredon (Gamaredon Group) (Anomali , BlackBerry , CERT-EU , ESET , ETDA , Fortinet , Intezer , Malpedia , MITRE , Trend Micro , Wikipedia , Yoroi )
IRON TILDEN (Secureworks )
Primitive Bear (CISA , Palo Alto Networks )
Shuckworm (Symantec )
STEADY#URSA (Securonix )
Trident Ursa (Unit 42 )
UAC-0010 (CERT-UA) Links to Other Groups
Identified Members
Sources: SSU , European Union
Sklianko Oleksandr Mykolaiovych (Deputy Chief, 4th Section of the Counterintelligence Operations Service (SCO), FSB Department in occupied Crimea and Sevastopol)
Chernykh Mykola Serhiiovych (Head of the unit identified as responsible for conducting Gamaredon operations, 4th Section of the SCO, FSB Department in occupied Crimea and Sevastopol)
Starchenko Anton Oleksandrovych (Officer within the unit identified as responsible for conducting Gamaredon operations, 4th Section of the SCO, FSB Department in occupied Crimea and Sevastopol)
Miroshnychenko Oleksandr Valeriiovych (Officer within the unit identified as responsible for conducting Gamaredon operations, 4th Section of the SCO, FSB Department in occupied Crimea and Sevastopol)
▪ Sushchenko Oleh Oleksandrovych (Officer within the unit identified as responsible for conducting Gamaredon operations, 4th Section of the SCO, FSB Department in occupied Crimea and Sevastopol) Vulnerabilities Exploited
CVE-2017-0199 (7.8 high, in CISA's KEV Catalog)
Microsoft Office and WordPad Remote Code Execution Vulnerability (Source: BlackBerry )Associated with InvisiMole activity: (Source: ESET )
CVE-2019-0708 (9.8 critical, in CISA's KEV Catalog)
Microsoft Remote Desktop Services Remote Code Execution Vulnerability (aka BlueKeep)CVE-2017-0144 (8.8 high, in CISA's KEV Catalog)
Microsoft SMBv1 Remote Code Execution Vulnerability (aka EternalBlue)CVE-2007-5633 (CVSSv2: 7.2 high)
speedfan.sys local privilege escalation vulnerability (Bring Your Own Vulnerable Driver)Tactics, Techniques, and Procedures
Mapped to MITRE ATT&CK Navigator Layers
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
2023
November 17, 2023 – Check Point Research : Malware Spotlight – Into the Trash: Analyzing LitterDrifter
August 28, 2023 – National Security and Defense Council of Ukraine (RNBO): Gamaredon Activity Amid Ukraine's Counteroffensive (PDF)
July 13, 2023 – CERT-UA : Summary information on the activities of the UAC-0010 group as of July 2023
July 24, 2023 – NKSC-LT (Lithuania): Report on Cyber Lessons Learned During the War in Ukraine (PDF)
June 15, 2023 – Symantec : Shuckworm: Inside Russia's Relentless Cyber Campaign Against Ukraine
March 20, 2023 – ThreatMon : Cybergun: Technical Analysis of the Armageddon's Infostealer (PDF, archive of broken link)
March 17, 2023 – State Service of Special Communications and Information Protection of Ukraine (SSSCIP): Gamaredon carried out 74 cyberattacks against Ukraine in 2022
March 13, 2023 – ThreatMon : Beyond Bullets and Bombs: An Examination of Armageddon Group's Cyber Warfare Against Ukraine (PDF, archive of broken link)
January 24, 2023 – Trellix : Cyberattacks Targeting Ukraine Increase 20-fold at End of 2022 Fueled by Russia-linked Gamaredon Activity
January 23, 2023 – European Repository of Cyber Incidents : ADVANCED PERSISTENT THREAT profile Gamaredon (PDF)
January 19, 2023 – BlackBerry : Gamaredon (Ab)uses Telegram to Target Ukrainian Organizations
January 09, 2023 – State Cyber Protection Centre of Ukraine (SCPC): ANOTHER UAC-0010 STORY (PDF) 2022
December 20, 2022 – Unit 42 : Russia's Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine
November 21, 2022 – BlackBerry : Gamaredon Leverages Microsoft Office Docs to Target Ukraine Government and Military
November 08, 2022 – CERT-UA : Cyberattack by the UAC-0010 group: sending emails supposedly on behalf of the State Service for Special Communications (CERT-UA#5570) (Ukrainian language)
September 15, 2022 – Cisco Talos : Gamaredon APT targets Ukrainian government agencies in new campaign
August 15, 2022 – Symantec : Shuckworm: Russia-Linked Group Maintains Ukraine Focus
August 10, 2022 – CERT-UA : Cyberattacks by the UAC-0010 (Armageddon) group: GammaLoad, GammaSteel malware (CERT-UA#5134) (Ukrainian language)
July 26, 2022 – CERT-UA : Cyberattacks by the UAC-0010 (Armageddon) group using the GammaLoad.PS1_v2 malware (CERT-UA#5003,5013,5069,5071) (Ukrainian language)
June 20, 2022 – Elastic : Playing defense against Gamaredon Group
May 12, 2022 – CERT-UA : Cyberattacks by the UAC-0010 (Armageddon) group using the GammaLoad.PS1_v2 malware (CERT-UA#4634,4648) (Ukrainian language)
May 12, 2022 – Cisco : Network Footprints of Gamaredon Group
April 20, 2022 – Symantec : Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine
April 07, 2022 – CERT-UA : Cyberattack by the UAC-0010 (Armageddon) group on Ukrainian state organizations (CERT-UA#4434) (Ukrainian language)
April 04, 2022 – CERT-UA :
February 04, 2022 – Microsoft : ACTINIUM targets Ukrainian organizations
February 03, 2022 – Unit 42 : Russia's Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine
February 01, 2022 – CERT-UA : Cyberattack by the UAC-0010 (Armageddon) group on Ukrainian state organizations (CERT-UA#3787) (Ukrainian language)
January 31, 2022 – Symantec : Shuckworm Continues Cyber-Espionage Attacks Against Ukraine 2021
2020
2019
2015
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat
November 23, 2024
Country: Democratic People's Republic of Korea (DPRK)
Objective: Corporate Espionage, Financial Gain
(Page Last Updated: December 12, 2024)
Organizations:
313 General Bureau of the Munitions Industry Department (MID)
The Ministry of Atomic Energy Industry
Ministry of Defense
Korea People's Army
DPRK Education Commission's Foreign Trade Office
Pyongyang Information Technology Bureau of the Central Committee's Science and Education Department
Pyongyang University of Automation (training)
Technical Reconnaissance Bureau
subordinate cyber unit: 110th Research Center
Chinyong Information Technology Cooperation Company (Chinyong) Companies employing DPRK IT workers :
Yanbian Silverstar Network Technology Co. Ltd.
Volasys Silver Star Identified North Korean IT workers :
Jong Song Hwa (정성화), CEO of both Yanbian Silverstar Network Technology Co. Ltd. and Volasys Silver Star
Kim Ryu Song (김류성), president of Yanbian Silverstar
Ri Kyong Sik (리경식), president of Volasys Silver Star
Rim Un Chol (림은철), senior manager
Kim Mu Rim (김무림), senior manager
Cho Chung Pom (조충범), mid-level manager
Hyon Chol Song (현철성), mid-level manager
Son Un Chol (손은철), mid-level manager
Sok Kwang Hyok (석광혁), mid-level manager
Choe Jong Yong (최정용), IT worker
Ko Chung Sok (고충석), IT worker
Kim Ye Won (김예원), IT worker
Jong Kyong Chol (정경철), IT worker
Jang Chol Myong (장철명), IT worker Identified individuals assisting DPRK IT workers :
Minh Phuong Vong
Matthew Isaac Knoot
Christina Marie Chapman
Oleksandr Didenko
Sim Hyon Sop (Sim) Groups or Aliases:
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
Unknown Date
2024
December 12, 2024:
November 22, 2024 – Microsoft Threat Intelligence: Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON
November 21, 2024 – SentinelOne : DPRK IT Workers | A Network of Active Front Companies and Their Links to China
November 14, 2024 – Unit 42 : Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack
November 13, 2024 – Unit 42 : Global Companies Are Unknowingly Paying North Koreans: Here's How to Catch Them
November 01, 2024 – New York State Department of Financial Services : Re: Cybersecurity Advisory – Threats Posed by Remote Technology Workers with Ties to Democratic People's Republic of Korea
October 24, 2024 – HYPR : HYPR Unmasks a Fake IT Worker: North Korea Isn't the Only Threat
October 19, 2024 – KnowB34 : North Korean IT Worker Threat: 10 Critical Updates to Your Hiring Process
October 02, 2024 – CoinDesk : How North Korea Infiltrated the Crypto Industry
October 01, 2024 – Bundesamt für Verfassungsschutz (Germany): Private Sector Security Advisory | 02/2024 | 1 October 2024 | Subject: North Korean IT Workers
September 23, 2024 – Mandiant : Staying a Step Ahead: Mitigating the DPRK IT Worker Threat
August 19, 2024 – UK Government : Democratic People's Republic of Korea sanctions: guidance
August 14, 2024 – Cinder : We found North Korean engineers in our application pile. Here's what our ex-CIA co founders did about it.
August 08, 2024 – U.S. Department of Justice : Justice Department Disrupts North Korean Remote IT Worker Fraud Schemes Through Charges and Arrest of Nashville Facilitator
July 23, 2024 – KnowBe4 : How a North Korean Fake IT Worker Tried to Infiltrate Us
May 16, 2024 – U.S. Department of Justice :
May 16, 2024 – U.S. Department of State :
May 16, 2024 – FBI : Democratic People's Republic of Korea Leverages U.S.-Based Individuals to Defraud U.S. Businesses and Generate Revenue
April 22, 2024 – 38North : What We Learned Inside a North Korean Internet Server: How Well Do You Know Your Partners?
February 21, 2024 – Mandiant : The North Korean IT Workers
(podcast on Spotify) 2023
2022
May 16, 2022 – U.S. Treasury :
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat
September 29, 2024
Country: People's Republic of China
Organization: N/A
Objective: Espionage
(Page Last Updated: December 06, 2024)
Aliases:
Links to other groups
Vulnerabilities Exploited
ProxyLogon (Sources: ESET , Kaspersky , Sygnia , Trend Micro ):
CVE-2021-26855 (9.8 critical, in CISA's KEV Catalog)
Microsoft Exchange Server Remote Code Execution VulnerabilityCVE-2021-26857 (7.8 high, in CISA's KEV Catalog)
Microsoft Exchange Server Remote Code Execution VulnerabilityCVE-2021-26858 (7.8 high, in CISA's KEV Catalog)
Microsoft Exchange Server Remote Code Execution VulnerabilityCVE-2021-27065 (7.8 high, in CISA's KEV Catalog)
Source: Trend Micro
CVE-2023-46805 (8.2 high, in CISA's KEV Catalog)
Ivanti Connect Secure and Policy Secure Authentication Bypass VulnerabilityCVE-2024-21887 (9.1 critical, in CISA's KEV Catalog)
Ivanti Connect Secure and Policy Secure Command Injection VulnerabilityCVE-2023-48788 (9.8 critical, in CISA's KEV Catalog)
Fortinet FortiClient EMS SQL Injection VulnerabilityCVE-2022-3236 (9.8 critical, in CISA's KEV Catalog)
Sophos Firewall Code Injection Vulnerability
unidentified Microsoft SharePoint and Oracle Opera business software vulnerabilities (Source: ESET )
CVE-2017-11882 (7.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper)
Microsoft Office Memory Corruption Vulnerability
Source: Trend Micro CVE-2012-0158 (8.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper, KeyBoy)
Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability
Sources: Unit 42 , Citizen Lab CVE-2017-0199 (7.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper)
Microsoft Office and WordPad Remote Code Execution Vulnerability
Source: Citizen Lab CVE-2015-1641 (7.8 high, in CISA's KEV Catalog. Note: associated with alias KeyBoy)
Microsoft Office Memory Corruption Vulnerability
Source: Citizen Lab References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
December 04, 2024 – Wall Street Journal : Dozens of Countries Hit in Chinese Telecom Hacking Campaign, Top U.S. Official Says (news article)
December 03, 2024 – CISA : CISA and Partners Release Joint Guidance on PRC-Affiliated Threat Actor Compromising Networks of Global Telecommunications Providers
November 27, 2024 – Bloomberg : T-Mobile Engineers Spotted Hackers Running Commands on Routers (news article, archive of paywalled article)
November 25, 2024 – Trend Micro : Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
November 20, 2024 – Natto Thoughts : Salt Typhoon: Churning Up a Storm of Consternation
November 19, 2024 – CrowdStrike : Unveiling LIMINAL PANDA: A Closer Look at China's Cyber Threats to the Telecom Sector
November 15, 2024 – Wall Street Journal : T-Mobile Hacked in Massive Chinese Breach of Telecom Networks (news article)
November 07, 2024 – Trend Micro : Breaking Down Earth Estries' Persistent TTPs in Prolonged Cyber Operations
October 25, 2024 – Wall Street Journal : Chinese Hackers Targeted Phones of Trump, Vance, and Harris Campaign (news article)
October 25, 2024 – CISA : Joint Statement by FBI and CISA on PRC Activity Targeting Telecommunications (not explicitly mentioned)
October 11, 2024 – Washington Post : White House forms emergency team to deal with China espionage hack (news article)
October 04, 2024 – Wall Street Journal : U.S. Wiretap Systems Targeted in China-Linked Hack (news article)
September 25, 2024 – Wall Street Journal : China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack (news article)
September 05, 2024 – Kaspersky : Tropic Trooper spies on government entities in the Middle East
July 17, 2024 – Sygnia : The Return of Ghost Emperor's Demodex 2023
2022
2021
2020
2018
2017
2016
2015
2013
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat
September 23, 2024
Country: People's Republic of China
Organization: Integrity Technology Group
Objective: Espionage, Information theft
(Page last updated: October 13, 2024)
Aliases (sorted alphabetically):
Associated Company
Integrity Technology Group (Integrity Tech) (Source: FBI (PDF))
aka Yongxin Zhicheng, 永信至诚
Vulnerabilities Exploited
Source: FBI
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
2023
2022
2020
May 20, 2020?? – PRC Ministry of State Security : 前沿 | 网络靶场,未来安全的基础设施 (web archive of a MSS-run periodical reprinted on IntegrityTech's website, English translation: “Frontier | Cyber Range, the secure infrastructure of the future”)
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat
September 12, 2024
Country: Islamic Republic of Iran
Organization: Ministry of Intelligence and Security (MOIS)
Objective: Espionage, Sabotage
(Page last updated October 12, 2024)
Aliases (sorted alphabetically):
APT34 (Check Point Research , FireEye, Intezer , NSA, NSFOCUS , Trend Micro )
CHRYSENE (Dragos )
Cobalt Gypsy (Secureworks ) (primary)
Cobalt Lyceum (Secureworks )
Crambus (Symantec )
Earth Simnavaz (Trend Micro )
Europium (previously used by Microsoft)
Greenbug (ClearSky , Symantec )
Hazel Sandstorm (Microsoft )
Helix Kitten (CrowdStrike , Wikipedia )
HEXANE (Dragos ) (linked to Lyceum by Kaspersky)
ITG13 (IBM )
Lyceum (Kaspersky , Secureworks )
OilRig (ClearSky , Cyble , EDTA , ESET , Kaspersky , Malpedia , MITRE , Unit 42 )
TA452 (Proofpoint )
TG-2889 (formerly used by Secureworks)
Yellow Maero (PwC Sub-group:
Known Associates
Mojtaba Mostafavi. Source: U.S. Treasury (linked by PwC, via Lab Dookhtegan leaks)
Farzin Karimi Mazlganchai: PwC Vulnerabilities Exploited
CVE-2024-30088 , (CVSS3v1: 7.0 high)
Windows Kernel Elevation of Privilege Vulnerability
Source: Trend Micro CVE-2019-0604 (CVE , NVD . CVSSv3.1: 9.8 critical, in CISA's KEV Catalog)
Microsoft SharePoint Remote Code Execution Vulnerability
Source: Microsoft
CVE-2017-11882 (CVE , NVD . CVSSv3.1: 7.8 high, in CISA's KEV Catalog)
Microsoft Office Memory Corruption Vulnerability
Source: Mandiant
CVE-2017-0199 (CVE , NVD , CVSS3v1: 7.8 high, in CISA's KEV Catalog)
Microsoft Office and WordPad Remote Code Execution Vulnerability
Source: Unit 42 Tactics, Techniques, and Procedures (TTPs)
As listed by MITRE
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
2023
December 20, 2023 – Security Scorecard : A detailed analysis of the Menorah malware used by APT34
December 14, 2023 – ESET : OilRig’s persistent attacks using cloud service-powered downloaders
October 31, 2023 – Check Point Research : From Albania to the Middle East: The Scarred Manticore is Listening (AFFILIATED WITH MOIS)
October 19, 2023 – Symantec : Crambus: New Campaign Targets Middle Eastern Government
September 29, 2023 – Trend Micro : APT34 Deploys Phishing Attack With New Malware
September 21, 2023 – ESET : OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes
August 30, 2023 – NSFOCUS : APT34 Unleashes New Wave of Phishing Attack with Variant of SideTwist Trojan
May 09, 2023 – ESET : ESET APT Activity Report Q4 2022–Q1 2023 , specifically on page 8 in PDF (PDF)
May 08, 2023 – Kaspersky : Kaspersky experts warn of increased IT supply chain attacks by OilRig APT in the Middle East and Turkiye
February 02, 2023 – Trend Micro : New APT34 Malware Targets The Middle East 2022
2021
2020
2019
December 17, 2019 – Kaspersky : OilRig’s Poison Frog – old samples, same trick
December 04, 2019 – IBM : New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East
November 09, 2019 – NSFOCUS : APT34 Event Analysis Report
October 21, 2019 – National Security Agency : Turla Group Exploits Iranian APT To Expand Coverage Of Victims (PDF)
August 27, 2019 – Secureworks : LYCEUM Takes Center Stage in Middle East Campaign
July 18, 2019 – FireEye : Hard Pass: Declining APT34's Invite to Join Their Professional Network
July 16, 2019 – BGD e-GOV CIRT (Bangladesh): [DNSPIONAGE] – FOCUS ON INTERNAL ACTIONS
May 15, 2019 – Proofpoint : Threat Actor Profile: TA542, From Banker to Malware Distribution Service
May 06, 2019 – NSFOCUS : Analysis of File Disclosure by APT34
April 30, 2019 – Unit 42 : Behind the Scenes with OilRig
April 16, 2019 – Unit 42 : DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling 2018
2017
December 15, 2017 – Unit 42 : Introducing the Adversary Playbook: First up, OilRig
December 11, 2017 – Unit 42 : OilRig Performs Tests on the TwoFace Webshell
December 07, 2017 – FireEye : New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit
November 08, 2017 – Unit 42 : OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan
October 24, 2017 – ClearSky : Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies
October 09, 2017 – Unit 42 : OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan
September 26, 2017 – Unit 42 : Striking Oil: A Closer Look at Adversary Infrastructure
August 28, 2017 – ClearSky : Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug
July 27, 2017 – Unit 42 : OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group
July 27, 2017 – Secureworks : The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets
April 27, 2017 – Unit 42 : OilRig Actors Provide a Glimpse into Development and Testing Efforts
March 31, 2017 – LogRhythm Labs : OilRig Campaign Analysis (PDF, TLP:WHITE)
February 15, 2017 – Secureworks : Iranian PupyRAT Bites Middle Eastern Organizations
January 05, 2017 – ClearSky : Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford 2016
2015
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat
September 8, 2024
Country: People's Republic of China
Organization: Loosely connected private contractors operating on
behalf of China’s Ministry of State Security (MSS). Some have worked at Chengdu 404 Network Technology
Objective: Espionage, Information theft, Financial crime
(Page last updated: December 15, 2024)
Aliases (sorted alphabetically):
APT41 (FBI , CISA, Cisco , EDTA , FireEye, Mandiant , Kaspersky, Malpedia , Unit 42 , Zscaler )
Axiom (Note: treated as a separate threat actor)
BARIUM (formerly used by Microsoft)
Blackfly (Symantec )
Brass Typhoon (Microsoft )
Bronze Atlas (SecureWorks )
Double Dragon (Wikipedia )
Earth Baku (Trend Micro )
Grayfly (Symantec )
Red Kelpie (PWC?)
RedEcho (different threat actor from Recorded Future possible overlaps)
Redfly (not used by Symantec, but linked via ShadowPad malware)
RedGolf (officially used by Recorded Future )
SparklingGoblin (ESET )
TG-2633 (formerly used by SecureWorks)
Wicked Panda (used by CrowdStrike to track espionage)
Wicked Spider (used by CrowdStrike to track cybercrime)
Winnti, Winnti Group (Kaspersky, ESET , Cybereason , PwC) Subgroups
Identified Members
Associated Company
Chengdu Si Lingsi (404) Network Technology Company Ltd. (成都市肆零肆网络科技有限公司)
Vulnerabilities Exploited
CVE-2018-0824 (7.5 high, in CISA's KEV Catalog)
Microsoft COM for Windows Remote Code Execution Vulnerability
Source: Cisco CVE-2017-0199 (7.8 high, in CISA's KEV Catalog)
Microsoft Office and WordPad Remote Code Execution Vulnerability
Sources: Clearsky , Fortinet , FireEye CVE-2019-3396 (9.8 critical, in CISA's KEV Catalog)
Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability.
Sources: FireEye , Fortinet CVE-2015-1641 (7.8 high, in CISA's KEV Catalog)
Microsoft Office Memory Corruption Vulnerability
Source: Fortinet CVE-2012-0158 (8.8 high, in CISA's KEV Catalog)
Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability
Sources: Fortinet , FireEye CVE-2017-11882 (7.8 high, in CISA's KEV Catalog)
Microsoft Office Memory Corruption Vulnerability
Source: FireEye The following 7 vulnerabilities have the same source: U.S. DOJ
CVE-2019-19781 (9.8 critical, in CISA's KEV Catalog)
Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability
Additional sources: FireEye , Fortinet CVE-2019-11510 (10.0 critical, in CISA's KEV Catalog)
Ivanti Pulse Connect Secure Arbitrary File Read VulnerabilityCVE-2019-16920 (9.8 critical, in CISA's KEV Catalog)
D-Link Multiple Routers Command Injection VulnerabilityCVE-2019-16278 (9.8 critical)
Nostromo 1.9.6 Directory Traversal/ Remote Command Execution VulnerabilityCVE-2019-1652 (7.2 high, in CISA's KEV Catalog)
Cisco Small Business Routers Improper Input Validation Vulnerability.
Additional source: FireEye CVE-2019-1653 (7.5 high, in CISA's KEV Catalog)
Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability.
Additional source: FireEye CVE-2020-10189 (9.8 critical, in CISA's KEV Catalog)
Zoho ManageEngine Desktop Central File Upload Vulnerability.
Additional sources: FireEye , Fortinet The following 2 vulnerabilities have the same source: Mandiant
CVE-2021-44228 (10.0 critical, in CISA's KEV Catalog)
Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell).CVE-2021-44207 (8.1 high)
Acclaim USAHERDS Hard-Coded Credentials VulnerabilityTactics, Techniques, and Procedures
Mapped to MITRE ATT&CK Navigator Layers
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
December 12, 2024 – QiAnXin XLab: Glutton: A New Zero-Detection PHP Backdoor from Winnti Targets Cybercrimals
November 12, 2024 – BlackBerry : LightSpy: APT41 Deploys Advanced DeepData Framework In Targeted Southern Asia Espionage Campaign
October 31, 2024 – Sophos : Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats
August 04, 2024 – Trend Micro : A Dive into Earth Baku’s Latest Campaign
August 01, 2024 – Cisco Talos : APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike
July 18, 2024 – Mandiant : APT41 Has Arisen From the DUST
July 11, 2024 – Zscaler : MoonWalk: A deep dive into the updated arsenal of APT41 | Part 2
July 10, 2024 – Zscaler : DodgeBox: A deep dive into the updated arsenal of APT41 | Part 1
June 10, 2024 – Technical University of Zurich (ETH Zurich): From Vegas to Chengdu: Hacking Contests Bug Bounties, and China’s Offensive Cyber Ecosystem (research paper, PDF)
May 29, 2024 – Natto Thoughts : APT41’s Reconnaissance Techniques and Toolkit: Nmap and What Else?
May 22, 2024 – Natto Thoughts : Front Company or Real Business in China’s Cyber Operations
April 02, 2024 – Trend Micro : Earth Freybug Uses UNAPIMON for Unhooking Critical APIs (APT41 subgroup)
February 28, 2024 – Natto Thoughts : i-SOON: Kicking off the Year of the Dragon with Good Luck … or Not (more about association of i-SOON to Chengdu 404) 2023
October 27, 2023 – Natto Thoughts : i-SOON: Another Company in the APT41 Network
September 22, 2023 – Mandiant : Threat Trends: Unraveling WyrmSpy and DragonEgg Mobile Malware with Lookout
September 12, 2023 – Symantec : Redfly: Espionage Actors Continue to Target Critical Infrastructure (tenuous link via ShadowPad trojan)
July 19, 2023 – Lookout : Lookout Attributes Advanced Android Surveillanceware to Chinese Espionage Group APT41
May 02, 2023 – Trend Micro : Attack on Security Titans: Earth Longzhi Returns With New Tricks (APT41 subgroup)
April 01, 2023 – Google Cloud /Threat Analysis Group (TAG): April 2023 Threat Horizons Report (PDF, page 9: HOODOO Uses Public Tooling, Google Workspace to Target Taiwanese Media)
March 30, 2023 – Recorded Future : With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets (PDF)
February 28, 2023 – Symantec : Blackfly: Espionage Group Targets Materials Technology 2022
November 09, 2022 – Trend Micro : Hack the Real Box: APT41’s New Subgroup Earth Longzhi (APT41 subgroup)
October 18, 2022 – Symantec : Spyder Loader: Malware Seen in Recent Campaign Targeting Organizations in Hong Kong
September 22, 2022 – U.S. Health and Human Services (HHS): APT41 and Recent Activity (PDF)
September 14, 2022 – ESET : You never walk alone: The SideWalk backdoor gets a Linux variant
August 22, 2022 – Mandiant : APT41 (Double Dragon): A Dual Espionage and Cyber Crime Operation (PDF)
August 18, 2022 – Group-IB :
July 24, 2022 – Intrusion Truth : Chinese APTs: Interlinked networks and side hustles
July 23, 2022 – Intrusion Truth : The people behind Chengdu 404
July 22, 2022 – Intrusion Truth : Chengdu 404
July 21, 2022 – Intrusion Truth : The old school hackers behind APT41
July 20, 2022 – Intrusion Truth : APT41: A Case Sudy [sic]
May 02, 2022 – Cybereason :
March 08, 2022 – Mandiant : Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
February 15, 2022 – Secureworks : ShadowPad Malware Analysis
January 20, 2022 – Kaspersky : MoonBounce: the dark side of UEFI firmware 2021
October 05, 2021 – BlackBerry : Drawing a Dragon: Connecting the Dots to Find APT41
September 21, 2021 – Recorded Future : China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government Agency With Winnti Malware , available as PDF (tenuous connection via Winnti malware)
September 09, 2021 – Symantec : Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware
August 24, 2021 – ESET : The SideWalk may be as dangerous as the CROSSWALK
August 24, 2021 – Trend Micro : APT41 Resurfaces as Earth Baku With New Cyberespionage Campaign
August 20, 2021 – CISA : Chinese State-Sponsored Cyber Operations: Observed TTPs (generalized Chinese threat activity)
July 08, 2021 – Recorded Future : Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling (TAG-22 overlaps with Winnti, but is considered Aquatic Panda)
July 01, 2021 – Avast : Backdoored Client from Mongolian CA MonPass
June 10, 2021 – Group-IB : Big airline heist
April 29, 2021 – NTT : The Operations of Winnti group (PDF)
March 16, 2021 – Dragos : New ICS Threat Activity Group: VANADINITE (Winnti subgroup)
March 10, 2021 – Intezer : New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor
March 08, 2021 – Mazaher Kianpour : Socio-Technical Root Cause Analysis of Cyber-enabled Theft of the U.S. Intellectual Property — The Case of APT41 (PDF)
February 28, 2021 – Recorded Future : China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions , majority in PDF
January 14, 2021 – Positive Technologies : Higaisa or Winnti? APT41 backdoors, old and new 2020
November 11, 2020 – Microsoft : Hunting for Barium using Azure Sentinel
October 20, 2020 – CISA : Potential for China Cyber Response to Heightened U.S.–China Tensions (brief mention of APT41)
September 29, 2020 – Positive Technologies : ShadowPad: new activity from the Winnti group
September 18, 2020 – Trend Micro : U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks
September 17, 2020 – Symantec : APT41: Indictments Put Chinese Espionage Group in the Spotlight
September 16, 2020 – U.S. Department of Justice : Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally (ATTRIBUTION )
September 16, 2020 – FBI FLASH: Indictment of China-Based Cyber Actors Associated with APT 41 for Intrusion Activities (PDF)
June 11, 2020 – Zscaler : The Return of the Higaisa APT (see Positive Technologies link from January 14, 2021)
June 04, 2020 – Malwarebytes : New LNK attack tied to Higaisa APT discovered (see Positive Technologies link from January 14, 2021)
May 21, 2020 – ESET : No “Game over” for the Winnti Group
May 06, 2020 – Trend Micro : Targeted Ransomware Attack Hits Taiwan Organizations
April 20, 2020 – QuoIntelligence : WINNTI GROUP: Insights From the Past
April 13, 2020 – Unit 42 : APT41 Using New Speculoos Backdoor to Target Organizations Globally
March 25, 2020 – FireEye : This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
February ??, 2020 – PwC : Cyber Threats 2019: A Year in Retrospect (PDF, page 10)
January 31, 2020 – ESET : Winnti Group targeting universities in Hong Kong
January 31, 2020 – Tagesschau (German news): Deutsches Chemieunternehmen gehackt (German language, archive of dead link. English translated title: “German chemical company hacked”) 2019
October 31, 2019 – FireEye : MESSAGETAP: Who’s Reading Your Text Messages?
October 21, 2019 – ESET : Winnti Group's skip-2.0: A Microsoft SQL Server backdoor
October 15, 2019 – FireEye : LOWKEY: Hunting for the Missing Volume Serial ID
October 14, 2019 – ESET : Connecting the dots: Exposing the arsenal and methods of the Winnti Group , with whitepaper PDF
September 14, 2019 – VMware : CB TAU Threat Intelligence Notification: Winnti Malware 4.0
August 19, 2019 – FireEye : GAME OVER: Detecting and Stopping an APT41 Operation
August 07, 2019 – FireEye : APT41: A Dual Espionage and Cyber Crime Operation , available as PDF
July 24, 2019 – Bayerischer Rundfunk (BR): Winnti: Attacking the Heart of the German Industry
May 29, 2019 – Intezer : HiddenWasp Malware Stings Targeted Linux Systems (link to Winnti malware)
May 16, 2019 – Lab52 : Winnti Group: Geostrategic and TTP (Tactics, Techniques and Procedures)
May 15, 2019 – Chronicle : Winnti: More than just Windows and Gates
April 23, 2019 – Kaspersky : Operation ShadowHammer: a high-profile supply chain attack
March 25, 2019 – Kaspersky : Operation ShadowHammer
March 11, 2019 – ESET : Gaming industry still in the scope of attackers in Asia 2018
2017
2016
2015
2013
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat
September 5, 2024
Country: Russia
Organization: Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155)
Objective: Espionage, Sabotage, Assassinations, Influence Operations
(Page last updated: September 07, 2024)
Aliases:
Identified Members
Amin Timovich Stigal (Амин Стигал), Russian civilian hacker:
Yuriy Fedorovich Denisov (Юрий Денисов), Colonel and Commanding Officer of Cyber Operations for Unit 29155:
Vladislav Yevgenyevich Borovkov (Владислав Боровков), lieutenant in Unit 29155:
Denis Igorevich Denisenko (Денис Денисенко), lieutenant in Unit 29155:
Dmitriy Yuryevich Goloshubov (Дима Голошубов), lieutenant in Unit 29155:
Nikolay Aleksandrovich Korchagin (Николай Корчагин), lieutenant in Unit 29155:
Vulnerabilities Exploited
CVE-2017-11882 (7.8 high, in CISA's KEV Catalog)
Microsoft Office Memory Corruption Vulnerability
Source: Unit 42 The following 5 vulnerabilities have the same source: CISA
CVE-2021-33044 (9.8 critical, in CISA's KEV Catalog)
Dahua IP Camera Authentication Bypass VulnerabilityCVE-2021-33045 (9.8 critical, in CISA's KEV Catalog)
Dahua IP Camera Authentication Bypass VulnerabilityCVE-2022-26134 (9.8 critical, in CISA's KEV Catalog)
Atlassian Confluence Server and Data Center Remote Code Execution VulnerabilityCVE-2022-26138 (9.8 critical, in CISA's KEV Catalog)
Atlassian Questions For Confluence App Hard-coded Credentials VulnerabilityCVE-2022-3236 (9.8 critical, in CISA's KEV Catalog)
Sophos Firewall Code Injection VulnerabilityExploitation Likely
CISA and co-authoring agencies warned on 06 September 2024 that Unit 29155 cyber actors have been observed obtaining the respective exploit scripts for the following 5 vulnerabilities:
CVE-2020-1472 (9.8 critical, in CISA's KEV Catalog)
Microsoft Netlogon Privilege Escalation VulnerabilityCVE-2021-26084 (9.8 critical, in CISA's KEV Catalog)
Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection VulnerabilityCVE-2021-3156 (7.8 high, in CISA's KEV Catalog)
Sudo Heap-Based Buffer Overflow VulnerabilityCVE-2021-4034 (7.8 high, in CISA's KEV Catalog)
Red Hat Polkit Out-of-Bounds Read and Write VulnerabilityCVE-2022-27666 (7.8 high)
Red Hat: IPSec ESP Local Privilege Escalation VulnerabilityTactics, Techniques, and Procedures
Mapped to MITRE ATT&CK Navigator Layers
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
September 06, 2024 – ASD ACSC : Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure
September 05, 2024 – CISA : Russian Military Cyber Actors Target US and Global Critical Infrastructure , available as PDF
September 05, 2024 – U.S. Department of Justice :
September 05, 2024 – NSA : NSA, FBI, CISA, and Allies Issue Advisory about Russian Military Cyber Actors
September 05, 2024 – U.S. State Department : Up to $1 Million Reward Offer for Information Leading to Arrest and/or Conviction of Russian National Tim Vakhaevich Stigal
September 05, 2024 – NCSC-UK : UK and Allies uncover Russian military unit carrying out cyber attacks and digital sabotage for the first time
September 05, 2024 – BfV (Germany): Joint Cybersecurity Advisory on Russian Military Cyber Actors targeting U.S. and Global Critical Infrastructure
September 05, 2024 – KAPO (Estonia): A GRU military unit launched cyberattacks against Estonian authorities
September 05, 2024 – Estonia Prosecutor's Office: A GRU military unit launched cyberattacks against Estonian authorities
September 05, 2024 – Estonia Ministry of Foreign Affairs (MFA): Estonia names Russia’s military intelligence in a first-ever attribution of cyberattacks
September 05, 2024 – The Netherlands Military Intelligence and Security Service (MIVD): MIVD waarschuwt: Russen hebben het gemunt op westerse hulp aan Oekraïne (Dutch)
September 05, 2024 – CCCS : Russian military cyber actors target U.S. and global critical infrastructure
June 26, 2024 – U.S. Department of Justice : Russian National Charged For Conspiring With Russian Military Intelligence To Destroy Ukrainian Government Computer Systems And Data (Amin Stigal) 2023
2022
December 05, 2022 – Elastic : Operation Bleeding Bear
July 20, 2022 – USCYBERCOM : Cyber National Mission Force discloses IOCs from Ukrainian networks
July 20, 2022 – Mandiant : Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
July 13, 2022 – Malwarebytes : Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign
July 11, 2022 – CERT-UA : Attack by UAC-0056 group on state organizations of Ukraine using Cobalt Strike Beacon (CERT-UA#4941) (Ukrainian)
July 06, 2022 – CERT-UA : Cyber attack UAC-0056 on state organizations of Ukraine using Cobalt Strike Beacon (CERT-UA#4914) (Ukrainian)
April 26, 2022 – CERT-UA : UAC-0056 group cyber attack using GraphSteel and GrimPlant malware and the topic of COVID-19 (CERT-UA#4545) (Ukrainian)
April 25, 2022 – Bitdefender : Deep Dive into the Elephant Framework – A New Cyber Threat in Ukraine
April 04, 2022 – Intezer : Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
April 04, 2022 – NioGuard : Russian SaintBear Group Attacked Ukrainian Government Agencies Using GraphSteel & GrimPlant malware
April 01, 2022 – Malwarebytes : New UAC-0056 activity: There’s a Go Elephant in the room
March 30, 2022 – CrowdStrike : Who is EMBER BEAR?
March 28, 2022 – CERT-UA : Cyber attack of the UAC-0056 group on the state bodies of Ukraine using GraphSteel and GrimPlant malware (CERT-UA#4293) (Ukrainian)
March 15, 2022 – SentinelOne : Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
March 04, 2022 – Mandiant : Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation
February 25, 2022 – Unit 42 : Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
February 21, 2022 – NSFOCUS : APT Lorec53 group launched a series of cyber attacks against Ukraine
February 08, 2022 – NSFOCUS : APT Retrospection: Lorec53, An Active Russian Hack Group Launched Phishing Attacks Against Georgian Government
February 02, 2022 – CERT-UA : Cyber attack of the UAC-0056 group on state organizations of Ukraine using SaintBot and OutSteel malware (CERT-UA#3799) (Ukrainian)
January 20, 2022 – Unit 42 : Threat Brief: Ongoing Russia and Ukraine Cyber Activity
January 17, 2022 – Picus : TTPs used by DEV-0586 APT Group in WhisperGate Attack Targeting Ukraine
January 16, 2022 – NCSCC-UA on Twitter: Operation # BleedingBear
January 15, 2022 – Microsoft : Destructive malware targeting Ukrainian organizations 2021
September 2, 2024
Country: Islamic Republic of Iran
Organization: Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO)
Objective: Espionage, Intelligence collection
(Page last updated December 05, 2024)
Aliases:
APT42 (Mandiant )
APT35 (Check Point Research , Google Threat Analysis Group , ThreatBook)
Ballistic Bobcat (ESET )
CALANQUE (Google Threat Analysis Group)
CharmingCypress (Volexity )
Charming Kitten (Clearsky , CERT-FA , Bitdefender )
COBALT ILLUSION (Secureworks )
ITG18 (IBM )
Magic Hound (MITRE , Unit 42 , Cyble )
Mint Sandstorm (Microsoft )
PHOSPHORUS (previously used by Microsoft, The DFIR Report , Deep Instinct , Cybereason)
TAG-56 (previously used by Recorded Future )
TA453 (Proofpoint )
TunnelVision or Tunnel Vision (eSentire, SentinelOne)
Yellow Garuda (PwC ) Sub-group:
Identified Members
Vulnerabilities Exploited
Tactics, Techniques, and Procedures
Mapped to MITRE ATT&CK
External link: MITRE
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
November 28, 2024 – ThreatBook : APT35 Forges Recruitment Sites, Launches Attacks on Aerospace and Semiconductor Industries in Multiple Countries
November 12, 2024 – ClearSky : Iranian “Dream Job” Campaign 11.24 (subgroup)
September 27, 2024:
August 28, 2024 – Mandiant : I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation (note: weak overlap)
August 23, 2024 – Meta : Taking Action Against Malicious Accounts in Iran
August 20, 2024 – Proofpoint : Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset
August 20, 2024 – Recorded Future : GreenCharlie Infrastructure Linked to US Political Campaign Targeting , available as PDF
August 19, 2024 – CISA : Joint ODNI, FBI, and CISA Statement on Iranian Election Influence Efforts (Note: not explicitly identified)
August 14, 2024 – Google Threat Analysis Group (TAG): Iranian backed group steps up phishing campaigns against Israel, U.S.
August 14, 2024 – Harfang Lab : Cyclops: a likely replacement for BellaCiao
August 08, 2024 – Microsoft Threat Analysis Center Iran Targeting 2024 US Election
May 22, 2024 – Cyble : Threat Actor Profile: Magic Hound
May 10, 2024: New Jersey Cybersecurity & Communications Integration Cell (NJ-CCIC): Recent Observed Iranian State-Sponsored Cyber Threat Group Activity (ATTRIBUTION to IRGC-IO )
May 1, 2024 – Mandiant : Uncharmed: Untangling Iran's APT42 Operations
February 13, 2024 – Volexity : CharmingCypress: Innovating Persistence
January 17, 2024 – Microsoft : New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs 2023
2022
December 14, 2022 – Proofpoint : Would’ve, Could’ve, Should’ve…Did: TA453 Refuses to be Bound by Expectations
December 12, 2022 – SOCRadar : Dark Web Profile: APT42 – Iranian Cyber Espionage Group
November 29, 2022 – Recorded Future : Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank , available as PDF
September 27, 2022 – Avertium : An In-Depth Look at APT35 aka Charming Kitten
September 14, 2022 – U.S. Treasury : Treasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity (ATTRIBUTION to IRGC , links “Tunnel Vision” to Charming Kitten)
September 13, 2022 – Proofpoint : Look What You Made Me Do: TA453 Uses Multi-Persona Impersonation to Capitalize on FOMO
September 09, 2022 – CERT-FA : Charming Kitten: “Can We Have A Meeting?”
September 07, 2022 – Mandiant : APT42: Crooked Charms, Cons, and Compromises , available as PDF
September 07, 2022 – Microsoft : Profiling DEV-0270: PHOSPHORUS’ ransomware operations
August 23, 2022 – Google Threat Analysis Group (TAG): New Iranian APT data extraction tool
July 22, 2022 – PwC : Old cat, new tricks, bad habits
June 01, 2022 – Deep Instinct : Iranian Threat Actor Continues to Develop Mass Exploitation Tools
March 30, 2022 – Recorded Future : Social Engineering Remains Key Tradecraft for Iranian APTs , available as PDF
March 21, 2022 – The DFIR Report : PHOSPHORUS Automates Initial Access Using ProxyShell
March 09, 2022 – eSentire : Exploitation of VMware Horizon Servers by TunnelVision Threat Actor
February 17, 2022 – SentinelOne : Log4j2 In The Wild | Iranian-Aligned Threat Actor “TunnelVision” Actively Exploiting VMware Horizon
February 01?, 2022 – Cybereason : PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage
January 11, 2022 – Check Point Research : APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit 2021
2020
2019
2018
2017
2016
August 24, 2024
Country: People's Republic of China (PRC)
Organization: Hainan State Security Department (HSSD), of the Ministry of State Security (MSS)
Objective: Espionage
Aliases:
Bronze Mohawk (Secureworks )
Leviathan/Kryptonite Panda (CrowdStrike)
Gadolinium (formerly used by Microsoft)
Gingam Typhoon (Microsoft )
FEVERDREAM, G0065, GreenCrash, Hellsing, Mudcarp, Periscope
Temp.Periscope/ Temp.Jumper (FireEye) Front Company
Hainan Xiandun Technology Development Co., Ltd. (海南仙盾) (Hainan Xiandun) (Note: disbanded) Identified Members
Ding Xiaoyang (丁晓阳)
Cheng Qingmin (程庆民)
Zhu Yunmin (朱允敏)
Wu Shurong (吴淑荣) References:
Links (Sorted in Chronological Order)
2021
2020
2019
June 9, 2024
Country: People's Republic of China
Organization: N/A
Objective: Espionage
(Page Last Updated: December 05, 2024)
Aliases:
Vulnerabilities Exploited
CVE-2024-39717 (CVSSv3.1: 6.6 medium, in CISA's KEV Catalog)
Versa Director Dangerous File Type Upload Vulnerability
Source: Lumen CVE-2022-42475 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog)
Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability
Source: CISA Source: Versa Networks
CVE-2023-27997 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog)
Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow VulnerabilityCVE-2024-21762 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog)
Fortinet FortiOS Out-of-Bound Write VulnerabilityCVE-2023-46805 (CVSSv3.1: 8.2 high, in CISA's KEV Catalog)
Ivanti Connect Secure and Policy Secure Authentication Bypass VulnerabilityCVE-2024-21887 (CVSSv3.1: 9.1 critical, in CISA's KEV Catalog)
Ivanti Connect Secure and Policy Secure Command Injection Vulnerability References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
November 19, 2024 – Tenable : Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
November 12, 2024 – Security Scorecard : The Botnet is Back: SSC STRIKE Team Uncovers a Renewed Cyber Threat
November 05, 2024 – Bloomberg : Chinese Group Accused of Hacking Singtel in Telecom Attacks (news article, archive link)
October 31, 2024 – Sophos : Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats
August 27, 2024 – Lumen : Taking the Crossroads: The Versa Director Zero-Day Exploitation
June 12, 2024 – Natto Thoughts : Who is Volt Typhoon? A State-sponsored Actor? Or Dark Power?
April 04, 2024 – Mandiant : Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies
March 20, 2024 – ASD ACSC : PRC State-Sponsored Cyber Activity
February 14?, 2024 – Dragos : VOLTZITE Espionage Operations Targeting U.S. Critical Systems and (7 page PDF )
February 14, 2024 – Unit 42 : Threat Brief: Attacks on Critical Infrastructure Attributed to Insidious Taurus (Volt Typhoon)
February 07, 2024 – Lumen : KV-Botnet: Don’t call it a Comeback
February 07, 2024 – CISA:
January 31, 2024 – U.S. Department of Justice: U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure
January 31, 2024 – CISA : Secure by Design Alert: Security Design Improvements for SOHO Device Manufacturers and (2 page PDF )
January 11, 2024 – Security Scorecard : Threat Intelligence Research: Volt Typhoon Compromises 30% of Cisco RV320/325 Devices in 37 Days 2023
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat
