May 27, 2024
Country: Russia
Organization: Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165.
Objective: Espionage
Aliases:
APT28 (MITRE , Mandiant)
Fancy Bear (CrowdStrike)
Sofacy (F-Secure)
Sednit or Sednit Group (ESET)
Group 74 (Cisco Talos Intelligence)
IRON TWILIGHT (Secureworks)
Strontium (formerly used by Microsoft)
Forest Blizzard (Microsoft)
Pawn Storm (Trend Micro)
Swallowtail (Symantec)
BlueDelta (Recorded Future)
UAC-0028 (CERT-UA)
TA422 (Proofpoint)
Fighting Ursa (Unit 42)
FROZENLAKE (Google Threat Analysis Group)
Links
May 26, 2024
Country: Russia
Organization: Foreign Intelligence Service (SVR)
Objective: Espionage
Aliases:
APT29 (MITRE , Mandiant, Kaspersky, BlackBerry, Infoblox, )
Cozy Bear (CrowdStrike)
The Dukes (F-Secure)
Group 100 (Talos)
Iron Hemlock (SecureWorks)
Nobelium (formerly used by Microsoft)
Midnight Blizzard (Microsoft )
Iron Hemlock (SecureWorks)
Cloaked Ursa (Palo Alto)
BlueBravo (Recorded Future)
Cloaked Ursa (Unit 42)
Links
May 26, 2024
Country: Islamic Republic of Iran
Organization: Ministry of Intelligence and Security (MOIS)
Objective: Espionage
Aliases:
MuddyWater (CERTFA , Check Point, Cisco Talos Intelligence, Clearsky, Deep Instinct, ESET Research, Group-IB, MITRE , Kaspersky , Trellix , Unit 42)
Seedworm (Symantec )
TEMP.Zagros (FireEye)
Static Kitten (CrowdStrike )
MERCURY (formerly used by Microsoft)
Mango Sandstorm (Microsoft )
Boggy Serpens (Unit 42 )
ENT-11 (NTT Security)
TA450 (Proofpoint)
Cobalt Ulster (SecureWorks )
ATK 51 (Thales)
T-APT-14 (Tencent)
ITG17 (IBM)
Yellow Nix (PWC)
Earth Vetala (Trend Micro)
Vulnerabilities Exploited
CVE-2023-27350 (CVSSv3: 9.8 critical) PaperCut MF/NG Improper Access Control Vulnerability. Source: Microsoft
CVE-2021-45046 (CVSSv3: 9.0 critical) Apache Log4j2 Remote Code Execution Vulnerability (also related to Log4Shell). Source: Microsoft
CVE-2021-44228 (CVSSv3: 10.0 critical) Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell). Source: Microsoft
CVE-2020-0688 (CVSSv3: 8.8 high) Microsoft Exchange Validation Key Remote Code Execution Vulnerability. Source: CISA , SentinelOne
CVE-2020-1472 (CVSSv3: 10.0 critical) Netlogon Elevation of Privilege Vulnerability (aka ZeroLogon). Source: Clearsky , CISA
CVE-2020-0688 (CVSSv3: 8.8 high) Microsoft Exchange Validation Key Remote Code Execution Vulnerability. Source: Clearsky
CVE-2017-0199 (CVSSv3: 7.8 high) Microsoft Office/WordPad Remote Code Execution Vulnerability. Source: Clearsky , CISA
References
Links (Sorted in Chronological Order)
2024
2023
2022
December 08, 2022 – Deep Instinct: New MuddyWater Threat: Old Kitten; New Tricks
September 09, 2022 – U.S. Treasury: Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities
August 25, 2022 – Microsoft: MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations
June 21, 2022 – Lab52: MuddyWater’s “light” first-stager targeting Middle East
May 11, 2022 – NTT Security: Analysis of an Iranian APTs “E400” PowGoop variant reveals dozens of control servers dating back to 2020
March 14, 2022 – EclecticIQ: MuddyWater APT attributed to Iranian Ministry of Intelligence and Security, and the Increasing Global Ransomware Threat
March 10, 2022 – Cisco Talos: Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups
February 24, 2022 – CISA: Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
January 31, 2022 – Cisco Talos: Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables
January 12, 2022 – U.S. Cyber Command: Iranian intel cyber suite of malware uses open source tools (ATTRIBUTION )
January 12, 2022 – SentinelOne: Wading Through Muddy Waters | Recent Activity of an Iranian State-Sponsored Threat Actor
2021
2020
2019
2018
December 10, 2018 – Symantec: Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms
November 28, 2018 – Clearsky: MuddyWater Operations in Lebanon and Oman
October 10, 2018 – Kaspersky: MuddyWater expands operations
June 14, 2018 – Trend Micro: Potential MuddyWater Campaign uses PRB-Backdoor
March 13, 2018 – FireEye: Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign
March 12, 2018 – Trend Micro: Potential MuddyWater Campaign Seen in the Middle East
2017
May 26, 2024
Country: People's Republic of China (PRC)
Organization: Hubei State Security Department (HSSD), of the Ministry of State Security (MSS)
Objective: Espionage
Aliases:
BRONZE VINEWOOD (Secureworks)
Judgment Panda (CrowdStrike)
Red keres (PwC)
TA412 (Proofpoint)
Violet Typhoon (Microsoft)
ZIRCONIUM (formerly used by Microsoft, MITRE )
RedBravo (Recorded Future)
Front Company
Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ, 武汉晓睿智科技有限责任公司)
Identified Members
Ni Gaobin (倪高彬)
Weng Ming (翁明)
Cheng Feng (程锋)
Peng Yaowen (彭耀文)
Sun Xiaohui (孙小辉)
Xiong Wang (熊旺)
Zhao Guangzong (赵光宗)
Links
May 26, 2024
Country: Russia
Organization: Military Unit 74455, of the Main Center for Special Technologies (GTsST), of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), formerly known as the Main Intelligence Directorate
Objective: Espionage, Attack, Influence Operations
Aliases:
UAC-0133 (CERT-UA)
Sandworm Team (Trend Micro, MITRE )
Sandworm (ESET, Rapid7)
Iron Viking (SecureWorks)
CTG-7263 (SecureWorks)
APT44 (Google Cloud, Mandiant)
FROZENBARENTS (Google Threat Analysis Group)
IRIDIUM (formerly used by Microsoft)
Seashell Blizzard (Microsoft)
Voodoo Bear (CrowdStrike)
ELECTRUM (Dragos)
Quedagh
Black Energy (Group)
TEMP.Noble
Personas Used
Cyber Army of Russia Reborn
Identified Members
Yuriy Sergeyevich Andrienko :
Sergey Vladimirovich Detistov :
Pavel Valeryevich Frolov :
Anatoliy Sergeyevich Kovalev :
Artem Valeryevich Ochichenko :
Petr Nikolayevich Pliskin :
Links
May 26, 2024
Country: Russian Federation
Organization: Federal Security Service (FSB) Center 18
Motivation: Espionage
Aliases
SEABORGIUM (formerly used by Microsoft)
Star Blizzard (Microsoft )
TA446 (Proofpoint)
COLDRIVER (Google Threat Analysis Group)
TAG-53 (formerly used by Recorded Future)
BlueCharlie (Recorded Future)
Iron Frontier (Secureworks )
Blue Callisto (PwC)
Calisto (Sekoia)
The Callisto Group (F-Secure, now called WithSecure)
UNC4057 (Mandiant)
Gossamer Bear (CrowdStrike )
Identified Members
Ruslan Aleksandrovich Peretyatko
Andrey Stanislavovich Korinets
References (Sorted by Chronological Order)
2024
2023
2022
2017