Not Simon 🐐

Country: Russia Organization: Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. Objective: Espionage

Aliases:

• APT28 (MITRE, Mandiant)
• Fancy Bear (CrowdStrike)
• Sofacy (F-Secure)
• Sednit or Sednit Group (ESET)
• Group 74 (Cisco Talos Intelligence)
• IRON TWILIGHT (Secureworks)
• Strontium (formerly used by Microsoft)
• Forest Blizzard (Microsoft)
• Pawn Storm (Trend Micro)
• Swallowtail (Symantec)
• BlueDelta (Recorded Future)
• UAC-0028 (CERT-UA)
• TA422 (Proofpoint)
• Fighting Ursa (Unit 42)
• FROZENLAKE (Google Threat Analysis Group)

Links

• CISA:
  • APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers (April 18, 2023)
• U.S. Department of Justice:
  • Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU) (February 15, 2024)
  • Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices (May 23, 2018)
• U.S. State Department: The United States Condemns Malicious Cyber Activity Targeting Germany, Czechia, and Other EU Member States (May 3, 2024)
• U.S. Department of Defense: Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments (PDF, July 1, 2021)
• NSA: Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations (February 27, 2024)
• United Kingdom:
  • UK enforces new sanctions against Russia for cyber attack on German Parliament (October 22, 2020)
  • Minister for Europe statement: attempted hacking of the OPCW by Russian military intelligence (October 4, 2018)
• NCSC-UK:
  • Malware Analysis Report: Jaguar Tooth (PDF, April 18, 2023)

Country: Russia Organization: Foreign Intelligence Service (SVR) Objective: Espionage

Aliases:

• APT29 (MITRE, Mandiant, Kaspersky, BlackBerry, Infoblox, )
• Cozy Bear (CrowdStrike)
• The Dukes (F-Secure)
• Group 100 (Talos)
• Iron Hemlock (SecureWorks)
• Nobelium (formerly used by Microsoft)
• Midnight Blizzard (Microsoft)
• Iron Hemlock (SecureWorks)
• Cloaked Ursa (Palo Alto)
• BlueBravo (Recorded Future)
• Cloaked Ursa (Unit 42)

Links

• CISA:
  • SVR Cyber Actors Adapt Tactics for Initial Cloud Access (February 26, 2024)
  • Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally (December 13, 2023)
  • Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise (May 21, 2021)
  • Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders (April 26, 2021)
  • Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool (April 15, 2021)
  • Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments (January 8, 2021)
  • Enhanced Analysis of GRIZZLY STEPPE Activity (February 10, 2017)
• NCSC-UK:
  • UK and allies expose evolving tactics of Russian cyber actors (February 26, 2024)
  • Joint advisory: Further TTPs associated with SVR cyber actors (May 7, 2021)
  • Advisory: APT29 targets COVID-19 vaccine development (July 16, 2020)
• Mandiant: APT29 Uses WINELOADER to Target German Political Parties (March 22, 2024)
• Microsoft:
  • Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard (March 08, 2024)
  • Midnight Blizzard: Guidance for responders on nation-state attack (January 25, 2024)
  • Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard (January 19, 2024)
  • Midnight Blizzard conducts targeted social engineering over Microsoft Teams (August 2, 2023)
  • MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone (August 24, 2022)
  • NOBELIUM targeting delegated administrative privileges to facilitate broader attacks (October 25, 2021)

Country: Islamic Republic of Iran Organization: Ministry of Intelligence and Security (MOIS) Objective: Espionage

Aliases:

• MuddyWater (CERTFA, Check Point, Cisco Talos Intelligence, Clearsky, Deep Instinct, ESET Research, Group-IB, MITRE, Kaspersky, Trellix, Unit 42)
• Seedworm (Symantec)
• TEMP.Zagros (FireEye)
• Static Kitten (CrowdStrike)
• MERCURY (formerly used by Microsoft)
• Mango Sandstorm (Microsoft)
• Boggy Serpens (Unit 42)
• ENT-11 (NTT Security)
• TA450 (Proofpoint)
• Cobalt Ulster (SecureWorks)
• ATK 51 (Thales)
• T-APT-14 (Tencent)
• ITG17 (IBM)
• Yellow Nix (PWC)
• Earth Vetala (Trend Micro)

Vulnerabilities Exploited

• CVE-2023-27350 (CVSSv3: 9.8 critical) PaperCut MF/NG Improper Access Control Vulnerability. Source: Microsoft
• CVE-2021-45046 (CVSSv3: 9.0 critical) Apache Log4j2 Remote Code Execution Vulnerability (also related to Log4Shell). Source: Microsoft
• CVE-2021-44228 (CVSSv3: 10.0 critical) Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell). Source: Microsoft
• CVE-2020-0688 (CVSSv3: 8.8 high) Microsoft Exchange Validation Key Remote Code Execution Vulnerability. Source: CISA, SentinelOne
• CVE-2020-1472 (CVSSv3: 10.0 critical) Netlogon Elevation of Privilege Vulnerability (aka ZeroLogon). Source: Clearsky, CISA
• CVE-2020-0688 (CVSSv3: 8.8 high) Microsoft Exchange Validation Key Remote Code Execution Vulnerability. Source: Clearsky
• CVE-2017-0199 (CVSSv3: 7.8 high) Microsoft Office/WordPad Remote Code Execution Vulnerability. Source: Clearsky, CISA

References

Links (Sorted in Chronological Order)

2024

• May 14, 2024 – ESET Research: ESET APT Activity Report Q4 2023–Q1 2024
• April 24, 2024 – Broadcom: Seedworm exploits Atera Agent in a spear-phishing Campaign
• 22 April 2024 – HarfangLab: Increased activity from Iran sponsored APT MuddyWater, targeting Middle East, African & European organisations.
• April 08, 2024: Unit 42: Boggy Serpens (MuddyWater) Use of AutodialDLL
• April 07, 2024 – Broadcom: Seedworm distributing remote administration management software agents
• March 29, 2024 – Malwation: New MuddyWater Campaigns After Operation Swords of Iron
• March 21, 2024 – Proofpoint: Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign
• March 07, 2024 – Israel National Cyber Directorate: An active phishing campaign in Israeli territory – the Iranian attack group MuddyWater (Hebrew language)

2023

• December 19, 2023 – Symantec: Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa
• November 08, 2023 – Deep Instinct: MuddyC2Go – Latest C2 Framework Used by Iranian APT MuddyWater Spotted in Israel
• November 01, 2023 – Deep Instinct: MuddyWater eN-Able spear-phishing with new TTPs
• June 29, 2023 – Deep Instinct: PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater
• May 5, 2023 – Microsoft: Twitter: “Microsoft has now observed Iranian state-sponsored threat actors Mint Sandstorm (PHOSPHORUS) & Mango Sandstorm (MERCURY) exploiting CVE-2023-27350.”
• May 02 2023 – ESET Research: APT groups muddying the waters for MSPs
• April 18, 2023 – Group-IB: SimpleHarm: Tracking MuddyWater’s infrastructure
• April 07, 2023 – Microsoft: MERCURY and DEV-1084: Destructive attack on hybrid environment

2022

• December 08, 2022 – Deep Instinct: New MuddyWater Threat: Old Kitten; New Tricks
• September 09, 2022 – U.S. Treasury: Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities
• August 25, 2022 – Microsoft: MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations
• June 21, 2022 – Lab52: MuddyWater’s “light” first-stager targeting Middle East
• May 11, 2022 – NTT Security: Analysis of an Iranian APTs “E400” PowGoop variant reveals dozens of control servers dating back to 2020
• March 14, 2022 – EclecticIQ: MuddyWater APT attributed to Iranian Ministry of Intelligence and Security, and the Increasing Global Ransomware Threat
• March 10, 2022 – Cisco Talos: Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups
• February 24, 2022 – CISA: Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
  • February 24, 2022 – NCSC-UK: Malware Analysis Report: Small Sieve (PDF)
• January 31, 2022 – Cisco Talos: Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables
• January 12, 2022 – U.S. Cyber Command: Iranian intel cyber suite of malware uses open source tools (ATTRIBUTION)
• January 12, 2022 – SentinelOne: Wading Through Muddy Waters | Recent Activity of an Iranian State-Sponsored Threat Actor

2021

• December 14, 2021 – Symantec: Espionage Campaign Targets Telecoms Organizations across Middle East and Asia
• March 05, 2021 – Trend Micro: Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East
• February 10, 2021 – Anomali: Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies

2020

• October 21, 2020 – Symantec: Seedworm: Iran-Linked Group Continues to Target Organizations in the Middle East
• October 15, 2020 – Clearsky: Operation Quicksand
• February 26, 2020 – Secureworks: Business as Usual for Iranian Operations Despite Increased Tensions

2019

• June 06, 2019 – Clearsky: Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal
• May 29, 2019 – Group-IB: Catching fish in muddy waters
• April 15, 2019 – Clearsky: Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey
• April 10, 2019 – Check Point: The Muddy Waters of APT Attacks

2018

• December 10, 2018 – Symantec: Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms
• November 28, 2018 – Clearsky: MuddyWater Operations in Lebanon and Oman
• October 10, 2018 – Kaspersky: MuddyWater expands operations
• June 14, 2018 – Trend Micro: Potential MuddyWater Campaign uses PRB-Backdoor
• March 13, 2018 – FireEye: Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign
• March 12, 2018 – Trend Micro: Potential MuddyWater Campaign Seen in the Middle East

2017

• November 14, 2017 – Unit 42: Muddying the Water: Targeted Attacks in the Middle East

Country: People's Republic of China (PRC) Organization: Hubei State Security Department (HSSD), of the Ministry of State Security (MSS) Objective: Espionage

Aliases:

• BRONZE VINEWOOD (Secureworks)
• Judgment Panda (CrowdStrike)
• Red keres (PwC)
• TA412 (Proofpoint)
• Violet Typhoon (Microsoft)
• ZIRCONIUM (formerly used by Microsoft, MITRE)
• RedBravo (Recorded Future)

Front Company

• Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ, 武汉晓睿智科技有限责任公司)

Identified Members

• Ni Gaobin (倪高彬)
• Weng Ming (翁明)
• Cheng Feng (程锋)
• Peng Yaowen (彭耀文)
• Sun Xiaohui (孙小辉)
• Xiong Wang (熊旺)
• Zhao Guangzong (赵光宗)

Links

• U.S. Department of Justice: Seven Hackers Associated with Chinese Government Charged with Computer Intrusions Targeting Perceived Critics of China and U.S. Businesses and Politicians (March 25, 2024)
• U.S. State Department: U.S. Takes Action to Further Disrupt PRC Cyber Activities (March 25, 2024)
• Rewards for Justice: APT31/Wuhan Xiaoruizhi Science &Technology Company, Ltd. (March 25, 2024)
• U.S. Treasury: Treasury Sanctions China-Linked Hackers for Targeting U.S. Critical Infrastructure (March 25, 2024)
• United Kingdom: UK holds China state-affiliated organisations and individuals responsible for malicious cyber activity (March 25, 2024)
• NCSC-UK: UK calls out China state-affiliated actors for malicious cyber targeting of UK democratic institutions and parliamentarians (March 25, 2024)

Country: Russia Organization: Military Unit 74455, of the Main Center for Special Technologies (GTsST), of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), formerly known as the Main Intelligence Directorate Objective: Espionage, Attack, Influence Operations

Aliases:

• UAC-0133 (CERT-UA)
• Sandworm Team (Trend Micro, MITRE)
• Sandworm (ESET, Rapid7)
• Iron Viking (SecureWorks)
• CTG-7263 (SecureWorks)
• APT44 (Google Cloud, Mandiant)
• FROZENBARENTS (Google Threat Analysis Group)
• IRIDIUM (formerly used by Microsoft)
• Seashell Blizzard (Microsoft)
• Voodoo Bear (CrowdStrike)
• ELECTRUM (Dragos)
• Quedagh
• Black Energy (Group)
• TEMP.Noble

Personas Used

• Cyber Army of Russia Reborn

Identified Members

• Yuriy Sergeyevich Andrienko:
  • Rewards for Justice
  • FBI Most Wanted
• Sergey Vladimirovich Detistov:
  • Rewards for Justice
  • FBI Most Wanted
• Pavel Valeryevich Frolov:
  • Rewards for Justice
  • FBI Most Wanted
• Anatoliy Sergeyevich Kovalev:
  • Rewards for Justice
  • FBI Most Wanted
• Artem Valeryevich Ochichenko:
  • Rewards for Justice
  • FBI Most Wanted
• Petr Nikolayevich Pliskin:
  • Rewards for Justice
  • FBI Most Wanted

Links

• U.S. Department of Defense: New Sandworm malware Cyclops Blink replaces VPNFilter (PDF, February 23, 2022)
• U.S. Department of Justice:
  • Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace (October 19, 2020)
  • Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU) (April 6, 2022)
• CISA: Infamous Chisel Malware Analysis Report (August 31, 2023)
• NSA: Government Agencies Report New Russian Malware Targets Ukrainian Military (August 31, 2023)
• NCSC-UK: New Sandworm malware Cyclops Blink replaces VPNFilter (February 23, 2022)

Country: Russian Federation Organization: Federal Security Service (FSB) Center 18 Motivation: Espionage

Aliases

• SEABORGIUM (formerly used by Microsoft)
• Star Blizzard (Microsoft)
• TA446 (Proofpoint)
• COLDRIVER (Google Threat Analysis Group)
• TAG-53 (formerly used by Recorded Future)
• BlueCharlie (Recorded Future)
• Iron Frontier (Secureworks)
• Blue Callisto (PwC)
• Calisto (Sekoia)
• The Callisto Group (F-Secure, now called WithSecure)
• UNC4057 (Mandiant)
• Gossamer Bear (CrowdStrike)

Identified Members

• Ruslan Aleksandrovich Peretyatko
  • Rewards for Justice
  • FBI Most Wanted
• Andrey Stanislavovich Korinets
  • Rewards for Justice
  • FBI Most Wanted

References (Sorted by Chronological Order)

2024

• April 25, 2024 – Mandiant: Poll Vaulting: Cyber Threats to Global Elections

2023

• December 13, 2023 – Sekoia: CALISTO doxxing: Sekoia.io findings concurs to Reuters’ investigation on FSB-related Andrey Korinets
• December 8, 2023:
  • NCSC-NZ: Joint Advisory: Russian state cyber actors’ global spear-phishing campaigns
  • ACSC ASD: Russian FSB cyber actor Star Blizzard continues worldwide spear-phishing campaigns
• December 7, 2023: (ATTRIBUTION)
  • NCSC-UK: Russian FSB cyber actor Star Blizzard continues worldwide spear-phishing campaigns
  • United Kingdom: UK exposes attempted Russian cyber interference in politics and democratic processes
  • CISA: Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns
  • FBI: Russian FSB cyber actor Star Blizzard continues worldwide spear-phishing campaigns. (PDF)
  • U.S. Cyber Command: US, Allies Highlight Russian-State Cyber Actor “Star Blizzard” Spear-phishing Campaigns
  • U.S. Department of Justice: Two Russian Nationals Working with Russia’s Federal Security Service Charged with Global Computer Intrusion Campaign
  • U.S. Treasury: United States and the United Kingdom Sanction Members of Russian State Intelligence-Sponsored Advanced Persistent Threat Group
  • U.S. State Department: U.S. Takes Action to Further Disrupt Russian Cyber Activities
  • Microsoft: Star Blizzard increases sophistication and evasion in ongoing attacks
• August 02, 2023 – Recorded Future: BlueCharlie, Previously Tracked as TAG-53, Continues to Deploy New Infrastructure in 2023
• February 15, 2023 – Mandiant/Google TAG: Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape (PDF)
• January 26, 2023 – NCSC-UK: SEABORGIUM and TA453 continue their respective spear-phishing campaigns against targets of interest
• January 06, 2023 – Reuters: Exclusive: Russian hackers targeted U.S. nuclear scientists (News article)

2022

• December 05, 2022:
  • Sekoia: Calisto show interests into entities involved in Ukraine war support
  • Recorded Future: Exposing TAG-53’s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations
• December 02, 2022 – PwC: Blue Callisto orbits around US Laboratories in 2022
• August 15, 2022 – Microsoft: Disrupting SEABORGIUM’s ongoing phishing operations
• June 22, 2022 – Sekoia: CALISTO continues its credential harvesting campaign
• May 03, 2022 – Google Threat Analysis Group: Update on cyber activity in Eastern Europe
• March 30, 2022 – Google Threat Analysis Group: Tracking cyber activity in Eastern Europe

2017

• April 13, 2017 – F-Secure: The Callisto Group (PDF)