November 23, 2024
Country: Democratic People's Republic of Korea (DPRK)
Objective: Corporate Espionage, Financial Gain
(Page Last Updated: November 23, 2024)
Organizations:
313 General Bureau of the Munitions Industry Department (MID)
The Ministry of Atomic Energy Industry
Ministry of Defense
Korea People's Army
DPRK Education Commission's Foreign Trade Office
Pyongyang Information Technology Bureau of the Central Committee's Science and Education Department
Pyongyang University of Automation (training)
Technical Reconnaissance Bureau
subordinate cyber unit: 110th Research Center
Chinyong Information Technology Cooperation Company (Chinyong)
Companies employing DPRK IT workers :
Yanbian Silverstar Network Technology Co. Ltd.
Volasys Silver Star
Identified individuals assisting DPRK IT workers :
Minh Phuong Vong
Matthew Isaac Knoot
Christina Marie Chapman
Oleksandr Didenko
Sim Hyon Sop (Sim)
Groups or Aliases:
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
Unknown Date
2024
November 22, 2024 – Microsoft Threat Intelligence: Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON
November 21, 2024 – SentinelOne : DPRK IT Workers | A Network of Active Front Companies and Their Links to China
November 14, 2024 – Unit 42 : Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack
November 13, 2024 – Unit 42 : Global Companies Are Unknowingly Paying North Koreans: Here's How to Catch Them
November 01, 2024 – New York State Department of Financial Services : Re: Cybersecurity Advisory – Threats Posed by Remote Technology Workers with Ties to Democratic People's Republic of Korea
October 24, 2024 – HYPR : HYPR Unmasks a Fake IT Worker: North Korea Isn't the Only Threat
October 19, 2024 – KnowB34 : North Korean IT Worker Threat: 10 Critical Updates to Your Hiring Process
October 02, 2024 – CoinDesk : How North Korea Infiltrated the Crypto Industry
October 01, 2024 – Bundesamt für Verfassungsschutz (Germany): Private Sector Security Advisory | 02/2024 | 1 October 2024 | Subject: North Korean IT Workers
September 23, 2024 – Mandiant : Staying a Step Ahead: Mitigating the DPRK IT Worker Threat
August 19, 2024 – UK Government : Democratic People's Republic of Korea sanctions: guidance
August 14, 2024 – Cinder : We found North Korean engineers in our application pile. Here's what our ex-CIA co founders did about it.
August 08, 2024 – U.S. Department of Justice : Justice Department Disrupts North Korean Remote IT Worker Fraud Schemes Through Charges and Arrest of Nashville Facilitator
July 23, 2024 – KnowBe4 : How a North Korean Fake IT Worker Tried to Infiltrate Us
May 16, 2024 – U.S. Department of Justice :
May 16, 2024 – U.S. Department of State :
May 16, 2024 – FBI : Democratic People's Republic of Korea Leverages U.S.-Based Individuals to Defraud U.S. Businesses and Generate Revenue
April 22, 2024 – 38North : What We Learned Inside a North Korean Internet Server: How Well Do You Know Your Partners?
February 21, 2024 – Mandiant : The North Korean IT Workers
(podcast on Spotify)
2023
2022
May 16, 2022 – U.S. Treasury :
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat
September 29, 2024
Country: People's Republic of China
Organization: N/A
Objective: Espionage
(Page Last Updated: December 06, 2024)
Aliases:
Links to other groups
Vulnerabilities Exploited
ProxyLogon (Sources: ESET , Kaspersky , Sygnia , Trend Micro ):
CVE-2021-26855 (9.8 critical, in CISA's KEV Catalog)
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-26857 (7.8 high, in CISA's KEV Catalog)
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-26858 (7.8 high, in CISA's KEV Catalog)
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-27065 (7.8 high, in CISA's KEV Catalog)
Source: Trend Micro
CVE-2023-46805 (8.2 high, in CISA's KEV Catalog)
Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
CVE-2024-21887 (9.1 critical, in CISA's KEV Catalog)
Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
CVE-2023-48788 (9.8 critical, in CISA's KEV Catalog)
Fortinet FortiClient EMS SQL Injection Vulnerability
CVE-2022-3236 (9.8 critical, in CISA's KEV Catalog)
Sophos Firewall Code Injection Vulnerability
unidentified Microsoft SharePoint and Oracle Opera business software vulnerabilities (Source: ESET )
CVE-2017-11882 (7.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper)
Microsoft Office Memory Corruption Vulnerability
Source: Trend Micro
CVE-2012-0158 (8.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper, KeyBoy)
Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability
Sources: Unit 42 , Citizen Lab
CVE-2017-0199 (7.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper)
Microsoft Office and WordPad Remote Code Execution Vulnerability
Source: Citizen Lab
CVE-2015-1641 (7.8 high, in CISA's KEV Catalog. Note: associated with alias KeyBoy)
Microsoft Office Memory Corruption Vulnerability
Source: Citizen Lab
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
December 04, 2024 – Wall Street Journal : Dozens of Countries Hit in Chinese Telecom Hacking Campaign, Top U.S. Official Says (news article)
December 03, 2024 – CISA : CISA and Partners Release Joint Guidance on PRC-Affiliated Threat Actor Compromising Networks of Global Telecommunications Providers
November 27, 2024 – Bloomberg : T-Mobile Engineers Spotted Hackers Running Commands on Routers (news article, archive of paywalled article)
November 25, 2024 – Trend Micro : Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
November 20, 2024 – Natto Thoughts : Salt Typhoon: Churning Up a Storm of Consternation
November 19, 2024 – CrowdStrike : Unveiling LIMINAL PANDA: A Closer Look at China's Cyber Threats to the Telecom Sector
November 15, 2024 – Wall Street Journal : T-Mobile Hacked in Massive Chinese Breach of Telecom Networks (news article)
November 07, 2024 – Trend Micro : Breaking Down Earth Estries' Persistent TTPs in Prolonged Cyber Operations
October 25, 2024 – Wall Street Journal : Chinese Hackers Targeted Phones of Trump, Vance, and Harris Campaign (news article)
October 25, 2024 – CISA : Joint Statement by FBI and CISA on PRC Activity Targeting Telecommunications (not explicitly mentioned)
October 11, 2024 – Washington Post : White House forms emergency team to deal with China espionage hack (news article)
October 04, 2024 – Wall Street Journal : U.S. Wiretap Systems Targeted in China-Linked Hack (news article)
September 25, 2024 – Wall Street Journal : China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack (news article)
September 05, 2024 – Kaspersky : Tropic Trooper spies on government entities in the Middle East
July 17, 2024 – Sygnia : The Return of Ghost Emperor's Demodex
2023
2022
2021
2020
2018
2017
2016
2015
2013
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat
September 23, 2024
Country: People's Republic of China
Organization: Integrity Technology Group
Objective: Espionage, Information theft
(Page last updated: October 13, 2024)
Aliases (sorted alphabetically):
Associated Company
Integrity Technology Group (Integrity Tech) (Source: FBI (PDF))
aka Yongxin Zhicheng, 永信至诚
Vulnerabilities Exploited
Source: FBI
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
2023
2022
2020
May 20, 2020?? – PRC Ministry of State Security : 前沿 | 网络靶场,未来安全的基础设施 (web archive of a MSS-run periodical reprinted on IntegrityTech's website, English translation: “Frontier | Cyber Range, the secure infrastructure of the future”)
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat
September 12, 2024
Country: Islamic Republic of Iran
Organization: Ministry of Intelligence and Security (MOIS)
Objective: Espionage, Sabotage
(Page last updated October 12, 2024)
Aliases (sorted alphabetically):
APT34 (Check Point Research , FireEye, Intezer , NSA, NSFOCUS , Trend Micro )
CHRYSENE (Dragos )
Cobalt Gypsy (Secureworks ) (primary)
Cobalt Lyceum (Secureworks )
Crambus (Symantec )
Earth Simnavaz (Trend Micro )
Europium (previously used by Microsoft)
Greenbug (ClearSky , Symantec )
Hazel Sandstorm (Microsoft )
Helix Kitten (CrowdStrike , Wikipedia )
HEXANE (Dragos ) (linked to Lyceum by Kaspersky)
ITG13 (IBM )
Lyceum (Kaspersky , Secureworks )
OilRig (ClearSky , Cyble , EDTA , ESET , Kaspersky , Malpedia , MITRE , Unit 42 )
TA452 (Proofpoint )
TG-2889 (formerly used by Secureworks)
Yellow Maero (PwC
Sub-group:
Known Associates
Mojtaba Mostafavi. Source: U.S. Treasury (linked by PwC, via Lab Dookhtegan leaks)
Farzin Karimi Mazlganchai: PwC
Vulnerabilities Exploited
CVE-2024-30088 , (CVSS3v1: 7.0 high)
Windows Kernel Elevation of Privilege Vulnerability
Source: Trend Micro
CVE-2019-0604 (CVE , NVD . CVSSv3.1: 9.8 critical, in CISA's KEV Catalog)
Microsoft SharePoint Remote Code Execution Vulnerability
Source: Microsoft
CVE-2017-11882 (CVE , NVD . CVSSv3.1: 7.8 high, in CISA's KEV Catalog)
Microsoft Office Memory Corruption Vulnerability
Source: Mandiant
CVE-2017-0199 (CVE , NVD , CVSS3v1: 7.8 high, in CISA's KEV Catalog)
Microsoft Office and WordPad Remote Code Execution Vulnerability
Source: Unit 42
Tactics, Techniques, and Procedures (TTPs)
As listed by MITRE
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
2023
December 20, 2023 – Security Scorecard : A detailed analysis of the Menorah malware used by APT34
December 14, 2023 – ESET : OilRig’s persistent attacks using cloud service-powered downloaders
October 31, 2023 – Check Point Research : From Albania to the Middle East: The Scarred Manticore is Listening (AFFILIATED WITH MOIS)
October 19, 2023 – Symantec : Crambus: New Campaign Targets Middle Eastern Government
September 29, 2023 – Trend Micro : APT34 Deploys Phishing Attack With New Malware
September 21, 2023 – ESET : OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes
August 30, 2023 – NSFOCUS : APT34 Unleashes New Wave of Phishing Attack with Variant of SideTwist Trojan
May 09, 2023 – ESET : ESET APT Activity Report Q4 2022–Q1 2023 , specifically on page 8 in PDF (PDF)
May 08, 2023 – Kaspersky : Kaspersky experts warn of increased IT supply chain attacks by OilRig APT in the Middle East and Turkiye
February 02, 2023 – Trend Micro : New APT34 Malware Targets The Middle East
2022
2021
2020
2019
December 17, 2019 – Kaspersky : OilRig’s Poison Frog – old samples, same trick
December 04, 2019 – IBM : New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East
November 09, 2019 – NSFOCUS : APT34 Event Analysis Report
October 21, 2019 – National Security Agency : Turla Group Exploits Iranian APT To Expand Coverage Of Victims (PDF)
August 27, 2019 – Secureworks : LYCEUM Takes Center Stage in Middle East Campaign
July 18, 2019 – FireEye : Hard Pass: Declining APT34's Invite to Join Their Professional Network
July 16, 2019 – BGD e-GOV CIRT (Bangladesh): [DNSPIONAGE] – FOCUS ON INTERNAL ACTIONS
May 15, 2019 – Proofpoint : Threat Actor Profile: TA542, From Banker to Malware Distribution Service
May 06, 2019 – NSFOCUS : Analysis of File Disclosure by APT34
April 30, 2019 – Unit 42 : Behind the Scenes with OilRig
April 16, 2019 – Unit 42 : DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling
2018
2017
December 15, 2017 – Unit 42 : Introducing the Adversary Playbook: First up, OilRig
December 11, 2017 – Unit 42 : OilRig Performs Tests on the TwoFace Webshell
December 07, 2017 – FireEye : New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit
November 08, 2017 – Unit 42 : OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan
October 24, 2017 – ClearSky : Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies
October 09, 2017 – Unit 42 : OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan
September 26, 2017 – Unit 42 : Striking Oil: A Closer Look at Adversary Infrastructure
August 28, 2017 – ClearSky : Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug
July 27, 2017 – Unit 42 : OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group
July 27, 2017 – Secureworks : The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets
April 27, 2017 – Unit 42 : OilRig Actors Provide a Glimpse into Development and Testing Efforts
March 31, 2017 – LogRhythm Labs : OilRig Campaign Analysis (PDF, TLP:WHITE)
February 15, 2017 – Secureworks : Iranian PupyRAT Bites Middle Eastern Organizations
January 05, 2017 – ClearSky : Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford
2016
2015
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat
September 8, 2024
Country: People's Republic of China
Organization: Loosely connected private contractors operating on
behalf of China’s Ministry of State Security (MSS). Some have worked at Chengdu 404 Network Technology
Objective: Espionage, Information theft, Financial crime
(Page last updated: December 05, 2024)
Aliases (sorted alphabetically):
APT41 (FBI , CISA, Cisco , EDTA , FireEye, Mandiant , Kaspersky, Malpedia , Unit 42 , Zscaler )
Axiom (Note: treated as a separate threat actor)
BARIUM (formerly used by Microsoft)
Blackfly (Symantec )
Brass Typhoon (Microsoft )
Bronze Atlas (SecureWorks )
Double Dragon (Wikipedia )
Earth Baku (Trend Micro )
Grayfly (Symantec )
Red Kelpie (PWC?)
RedEcho (different threat actor from Recorded Future possible overlaps)
Redfly (not used by Symantec, but linked via ShadowPad malware)
RedGolf (officially used by Recorded Future )
SparklingGoblin (ESET )
TG-2633 (formerly used by SecureWorks)
Wicked Panda (used by CrowdStrike to track espionage)
Wicked Spider (used by CrowdStrike to track cybercrime)
Winnti, Winnti Group (Kaspersky, ESET , Cybereason , PwC)
Subgroups
Identified Members
Associated Company
Chengdu Si Lingsi (404) Network Technology Company Ltd. (成都市肆零肆网络科技有限公司)
Vulnerabilities Exploited
CVE-2018-0824 (7.5 high, in CISA's KEV Catalog)
Microsoft COM for Windows Remote Code Execution Vulnerability
Source: Cisco
CVE-2017-0199 (7.8 high, in CISA's KEV Catalog)
Microsoft Office and WordPad Remote Code Execution Vulnerability
Sources: Clearsky , Fortinet , FireEye
CVE-2019-3396 (9.8 critical, in CISA's KEV Catalog)
Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability.
Sources: FireEye , Fortinet
CVE-2015-1641 (7.8 high, in CISA's KEV Catalog)
Microsoft Office Memory Corruption Vulnerability
Source: Fortinet
CVE-2012-0158 (8.8 high, in CISA's KEV Catalog)
Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability
Sources: Fortinet , FireEye
CVE-2017-11882 (7.8 high, in CISA's KEV Catalog)
Microsoft Office Memory Corruption Vulnerability
Source: FireEye
The following 7 vulnerabilities have the same source: U.S. DOJ
CVE-2019-19781 (9.8 critical, in CISA's KEV Catalog)
Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability
Additional sources: FireEye , Fortinet
CVE-2019-11510 (10.0 critical, in CISA's KEV Catalog)
Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability
CVE-2019-16920 (9.8 critical, in CISA's KEV Catalog)
D-Link Multiple Routers Command Injection Vulnerability
CVE-2019-16278 (9.8 critical)
Nostromo 1.9.6 Directory Traversal/ Remote Command Execution Vulnerability
CVE-2019-1652 (7.2 high, in CISA's KEV Catalog)
Cisco Small Business Routers Improper Input Validation Vulnerability.
Additional source: FireEye
CVE-2019-1653 (7.5 high, in CISA's KEV Catalog)
Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability.
Additional source: FireEye
CVE-2020-10189 (9.8 critical, in CISA's KEV Catalog)
Zoho ManageEngine Desktop Central File Upload Vulnerability.
Additional sources: FireEye , Fortinet
The following 2 vulnerabilities have the same source: Mandiant
CVE-2021-44228 (10.0 critical, in CISA's KEV Catalog)
Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell).
CVE-2021-44207 (8.1 high)
Acclaim USAHERDS Hard-Coded Credentials Vulnerability
Tactics, Techniques, and Procedures
Mapped to MITRE ATT&CK Navigator Layers
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
November 12, 2024 – BlackBerry : LightSpy: APT41 Deploys Advanced DeepData Framework In Targeted Southern Asia Espionage Campaign
October 31, 2024 – Sophos : Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats
August 04, 2024 – Trend Micro : A Dive into Earth Baku’s Latest Campaign
August 01, 2024 – Cisco Talos : APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike
July 18, 2024 – Mandiant : APT41 Has Arisen From the DUST
July 11, 2024 – Zscaler : MoonWalk: A deep dive into the updated arsenal of APT41 | Part 2
July 10, 2024 – Zscaler : DodgeBox: A deep dive into the updated arsenal of APT41 | Part 1
June 10, 2024 – Technical University of Zurich (ETH Zurich): From Vegas to Chengdu: Hacking Contests Bug Bounties, and China’s Offensive Cyber Ecosystem (research paper, PDF)
May 29, 2024 – Natto Thoughts : APT41’s Reconnaissance Techniques and Toolkit: Nmap and What Else?
May 22, 2024 – Natto Thoughts : Front Company or Real Business in China’s Cyber Operations
April 02, 2024 – Trend Micro : Earth Freybug Uses UNAPIMON for Unhooking Critical APIs (APT41 subgroup)
February 28, 2024 – Natto Thoughts : i-SOON: Kicking off the Year of the Dragon with Good Luck … or Not (more about association of i-SOON to Chengdu 404)
2023
October 27, 2023 – Natto Thoughts : i-SOON: Another Company in the APT41 Network
September 22, 2023 – Mandiant : Threat Trends: Unraveling WyrmSpy and DragonEgg Mobile Malware with Lookout
September 12, 2023 – Symantec : Redfly: Espionage Actors Continue to Target Critical Infrastructure (tenuous link via ShadowPad trojan)
July 19, 2023 – Lookout : Lookout Attributes Advanced Android Surveillanceware to Chinese Espionage Group APT41
May 02, 2023 – Trend Micro : Attack on Security Titans: Earth Longzhi Returns With New Tricks (APT41 subgroup)
April 01, 2023 – Google Cloud /Threat Analysis Group (TAG): April 2023 Threat Horizons Report (PDF, page 9: HOODOO Uses Public Tooling, Google Workspace to Target Taiwanese Media)
March 30, 2023 – Recorded Future : With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets (PDF)
February 28, 2023 – Symantec : Blackfly: Espionage Group Targets Materials Technology
2022
November 09, 2022 – Trend Micro : Hack the Real Box: APT41’s New Subgroup Earth Longzhi (APT41 subgroup)
October 18, 2022 – Symantec : Spyder Loader: Malware Seen in Recent Campaign Targeting Organizations in Hong Kong
September 22, 2022 – U.S. Health and Human Services (HHS): APT41 and Recent Activity (PDF)
September 14, 2022 – ESET : You never walk alone: The SideWalk backdoor gets a Linux variant
August 22, 2022 – Mandiant : APT41 (Double Dragon): A Dual Espionage and Cyber Crime Operation (PDF)
August 18, 2022 – Group-IB :
July 24, 2022 – Intrusion Truth : Chinese APTs: Interlinked networks and side hustles
July 23, 2022 – Intrusion Truth : The people behind Chengdu 404
July 22, 2022 – Intrusion Truth : Chengdu 404
July 21, 2022 – Intrusion Truth : The old school hackers behind APT41
July 20, 2022 – Intrusion Truth : APT41: A Case Sudy [sic]
May 02, 2022 – Cybereason :
March 08, 2022 – Mandiant : Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
February 15, 2022 – Secureworks : ShadowPad Malware Analysis
January 20, 2022 – Kaspersky : MoonBounce: the dark side of UEFI firmware
2021
October 05, 2021 – BlackBerry : Drawing a Dragon: Connecting the Dots to Find APT41
September 21, 2021 – Recorded Future : China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government Agency With Winnti Malware , available as PDF (tenuous connection via Winnti malware)
September 09, 2021 – Symantec : Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware
August 24, 2021 – ESET : The SideWalk may be as dangerous as the CROSSWALK
August 24, 2021 – Trend Micro : APT41 Resurfaces as Earth Baku With New Cyberespionage Campaign
August 20, 2021 – CISA : Chinese State-Sponsored Cyber Operations: Observed TTPs (generalized Chinese threat activity)
July 08, 2021 – Recorded Future : Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling (TAG-22 overlaps with Winnti, but is considered Aquatic Panda)
July 01, 2021 – Avast : Backdoored Client from Mongolian CA MonPass
June 10, 2021 – Group-IB : Big airline heist
April 29, 2021 – NTT : The Operations of Winnti group (PDF)
March 16, 2021 – Dragos : New ICS Threat Activity Group: VANADINITE (Winnti subgroup)
March 10, 2021 – Intezer : New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor
March 08, 2021 – Mazaher Kianpour : Socio-Technical Root Cause Analysis of Cyber-enabled Theft of the U.S. Intellectual Property — The Case of APT41 (PDF)
February 28, 2021 – Recorded Future : China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions , majority in PDF
January 14, 2021 – Positive Technologies : Higaisa or Winnti? APT41 backdoors, old and new
2020
November 11, 2020 – Microsoft : Hunting for Barium using Azure Sentinel
October 20, 2020 – CISA : Potential for China Cyber Response to Heightened U.S.–China Tensions (brief mention of APT41)
September 29, 2020 – Positive Technologies : ShadowPad: new activity from the Winnti group
September 18, 2020 – Trend Micro : U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks
September 17, 2020 – Symantec : APT41: Indictments Put Chinese Espionage Group in the Spotlight
September 16, 2020 – U.S. Department of Justice : Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally (ATTRIBUTION )
September 16, 2020 – FBI FLASH: Indictment of China-Based Cyber Actors Associated with APT 41 for Intrusion Activities (PDF)
June 11, 2020 – Zscaler : The Return of the Higaisa APT (see Positive Technologies link from January 14, 2021)
June 04, 2020 – Malwarebytes : New LNK attack tied to Higaisa APT discovered (see Positive Technologies link from January 14, 2021)
May 21, 2020 – ESET : No “Game over” for the Winnti Group
May 06, 2020 – Trend Micro : Targeted Ransomware Attack Hits Taiwan Organizations
April 20, 2020 – QuoIntelligence : WINNTI GROUP: Insights From the Past
April 13, 2020 – Unit 42 : APT41 Using New Speculoos Backdoor to Target Organizations Globally
March 25, 2020 – FireEye : This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
February ??, 2020 – PwC : Cyber Threats 2019: A Year in Retrospect (PDF, page 10)
January 31, 2020 – ESET : Winnti Group targeting universities in Hong Kong
January 31, 2020 – Tagesschau (German news): Deutsches Chemieunternehmen gehackt (German language, archive of dead link. English translated title: “German chemical company hacked”)
2019
October 31, 2019 – FireEye : MESSAGETAP: Who’s Reading Your Text Messages?
October 21, 2019 – ESET : Winnti Group's skip-2.0: A Microsoft SQL Server backdoor
October 15, 2019 – FireEye : LOWKEY: Hunting for the Missing Volume Serial ID
October 14, 2019 – ESET : Connecting the dots: Exposing the arsenal and methods of the Winnti Group , with whitepaper PDF
September 14, 2019 – VMware : CB TAU Threat Intelligence Notification: Winnti Malware 4.0
August 19, 2019 – FireEye : GAME OVER: Detecting and Stopping an APT41 Operation
August 07, 2019 – FireEye : APT41: A Dual Espionage and Cyber Crime Operation , available as PDF
July 24, 2019 – Bayerischer Rundfunk (BR): Winnti: Attacking the Heart of the German Industry
May 29, 2019 – Intezer : HiddenWasp Malware Stings Targeted Linux Systems (link to Winnti malware)
May 16, 2019 – Lab52 : Winnti Group: Geostrategic and TTP (Tactics, Techniques and Procedures)
May 15, 2019 – Chronicle : Winnti: More than just Windows and Gates
April 23, 2019 – Kaspersky : Operation ShadowHammer: a high-profile supply chain attack
March 25, 2019 – Kaspersky : Operation ShadowHammer
March 11, 2019 – ESET : Gaming industry still in the scope of attackers in Asia
2018
2017
2016
2015
2013
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat
September 5, 2024
Country: Russia
Organization: Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155)
Objective: Espionage, Sabotage, Assassinations, Influence Operations
(Page last updated: September 07, 2024)
Aliases:
Identified Members
Amin Timovich Stigal (Амин Стигал), Russian civilian hacker:
Yuriy Fedorovich Denisov (Юрий Денисов), Colonel and Commanding Officer of Cyber Operations for Unit 29155:
Vladislav Yevgenyevich Borovkov (Владислав Боровков), lieutenant in Unit 29155:
Denis Igorevich Denisenko (Денис Денисенко), lieutenant in Unit 29155:
Dmitriy Yuryevich Goloshubov (Дима Голошубов), lieutenant in Unit 29155:
Nikolay Aleksandrovich Korchagin (Николай Корчагин), lieutenant in Unit 29155:
Vulnerabilities Exploited
CVE-2017-11882 (7.8 high, in CISA's KEV Catalog)
Microsoft Office Memory Corruption Vulnerability
Source: Unit 42
The following 5 vulnerabilities have the same source: CISA
CVE-2021-33044 (9.8 critical, in CISA's KEV Catalog)
Dahua IP Camera Authentication Bypass Vulnerability
CVE-2021-33045 (9.8 critical, in CISA's KEV Catalog)
Dahua IP Camera Authentication Bypass Vulnerability
CVE-2022-26134 (9.8 critical, in CISA's KEV Catalog)
Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability
CVE-2022-26138 (9.8 critical, in CISA's KEV Catalog)
Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability
CVE-2022-3236 (9.8 critical, in CISA's KEV Catalog)
Sophos Firewall Code Injection Vulnerability
Exploitation Likely
CISA and co-authoring agencies warned on 06 September 2024 that Unit 29155 cyber actors have been observed obtaining the respective exploit scripts for the following 5 vulnerabilities:
CVE-2020-1472 (9.8 critical, in CISA's KEV Catalog)
Microsoft Netlogon Privilege Escalation Vulnerability
CVE-2021-26084 (9.8 critical, in CISA's KEV Catalog)
Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability
CVE-2021-3156 (7.8 high, in CISA's KEV Catalog)
Sudo Heap-Based Buffer Overflow Vulnerability
CVE-2021-4034 (7.8 high, in CISA's KEV Catalog)
Red Hat Polkit Out-of-Bounds Read and Write Vulnerability
CVE-2022-27666 (7.8 high)
Red Hat: IPSec ESP Local Privilege Escalation Vulnerability
Tactics, Techniques, and Procedures
Mapped to MITRE ATT&CK Navigator Layers
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
September 06, 2024 – ASD ACSC : Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure
September 05, 2024 – CISA : Russian Military Cyber Actors Target US and Global Critical Infrastructure , available as PDF
September 05, 2024 – U.S. Department of Justice :
September 05, 2024 – NSA : NSA, FBI, CISA, and Allies Issue Advisory about Russian Military Cyber Actors
September 05, 2024 – U.S. State Department : Up to $1 Million Reward Offer for Information Leading to Arrest and/or Conviction of Russian National Tim Vakhaevich Stigal
September 05, 2024 – NCSC-UK : UK and Allies uncover Russian military unit carrying out cyber attacks and digital sabotage for the first time
September 05, 2024 – BfV (Germany): Joint Cybersecurity Advisory on Russian Military Cyber Actors targeting U.S. and Global Critical Infrastructure
September 05, 2024 – KAPO (Estonia): A GRU military unit launched cyberattacks against Estonian authorities
September 05, 2024 – Estonia Prosecutor's Office: A GRU military unit launched cyberattacks against Estonian authorities
September 05, 2024 – Estonia Ministry of Foreign Affairs (MFA): Estonia names Russia’s military intelligence in a first-ever attribution of cyberattacks
September 05, 2024 – The Netherlands Military Intelligence and Security Service (MIVD): MIVD waarschuwt: Russen hebben het gemunt op westerse hulp aan Oekraïne (Dutch)
September 05, 2024 – CCCS : Russian military cyber actors target U.S. and global critical infrastructure
June 26, 2024 – U.S. Department of Justice : Russian National Charged For Conspiring With Russian Military Intelligence To Destroy Ukrainian Government Computer Systems And Data (Amin Stigal)
2023
2022
December 05, 2022 – Elastic : Operation Bleeding Bear
July 20, 2022 – USCYBERCOM : Cyber National Mission Force discloses IOCs from Ukrainian networks
July 20, 2022 – Mandiant : Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
July 13, 2022 – Malwarebytes : Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign
July 11, 2022 – CERT-UA : Attack by UAC-0056 group on state organizations of Ukraine using Cobalt Strike Beacon (CERT-UA#4941) (Ukrainian)
July 06, 2022 – CERT-UA : Cyber attack UAC-0056 on state organizations of Ukraine using Cobalt Strike Beacon (CERT-UA#4914) (Ukrainian)
April 26, 2022 – CERT-UA : UAC-0056 group cyber attack using GraphSteel and GrimPlant malware and the topic of COVID-19 (CERT-UA#4545) (Ukrainian)
April 25, 2022 – Bitdefender : Deep Dive into the Elephant Framework – A New Cyber Threat in Ukraine
April 04, 2022 – Intezer : Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
April 04, 2022 – NioGuard : Russian SaintBear Group Attacked Ukrainian Government Agencies Using GraphSteel & GrimPlant malware
April 01, 2022 – Malwarebytes : New UAC-0056 activity: There’s a Go Elephant in the room
March 30, 2022 – CrowdStrike : Who is EMBER BEAR?
March 28, 2022 – CERT-UA : Cyber attack of the UAC-0056 group on the state bodies of Ukraine using GraphSteel and GrimPlant malware (CERT-UA#4293) (Ukrainian)
March 15, 2022 – SentinelOne : Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
March 04, 2022 – Mandiant : Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation
February 25, 2022 – Unit 42 : Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
February 21, 2022 – NSFOCUS : APT Lorec53 group launched a series of cyber attacks against Ukraine
February 08, 2022 – NSFOCUS : APT Retrospection: Lorec53, An Active Russian Hack Group Launched Phishing Attacks Against Georgian Government
February 02, 2022 – CERT-UA : Cyber attack of the UAC-0056 group on state organizations of Ukraine using SaintBot and OutSteel malware (CERT-UA#3799) (Ukrainian)
January 20, 2022 – Unit 42 : Threat Brief: Ongoing Russia and Ukraine Cyber Activity
January 17, 2022 – Picus : TTPs used by DEV-0586 APT Group in WhisperGate Attack Targeting Ukraine
January 16, 2022 – NCSCC-UA on Twitter: Operation # BleedingBear
January 15, 2022 – Microsoft : Destructive malware targeting Ukrainian organizations
2021
September 2, 2024
Country: Islamic Republic of Iran
Organization: Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO)
Objective: Espionage, Intelligence collection
(Page last updated December 05, 2024)
Aliases:
APT42 (Mandiant )
APT35 (Check Point Research , Google Threat Analysis Group , ThreatBook)
Ballistic Bobcat (ESET )
CALANQUE (Google Threat Analysis Group)
CharmingCypress (Volexity )
Charming Kitten (Clearsky , CERT-FA , Bitdefender )
COBALT ILLUSION (Secureworks )
ITG18 (IBM )
Magic Hound (MITRE , Unit 42 , Cyble )
Mint Sandstorm (Microsoft )
PHOSPHORUS (previously used by Microsoft, The DFIR Report , Deep Instinct , Cybereason)
TAG-56 (previously used by Recorded Future )
TA453 (Proofpoint )
TunnelVision or Tunnel Vision (eSentire, SentinelOne)
Yellow Garuda (PwC )
Sub-group:
Identified Members
Vulnerabilities Exploited
Tactics, Techniques, and Procedures
Mapped to MITRE ATT&CK
External link: MITRE
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
November 28, 2024 – ThreatBook : APT35 Forges Recruitment Sites, Launches Attacks on Aerospace and Semiconductor Industries in Multiple Countries
November 12, 2024 – ClearSky : Iranian “Dream Job” Campaign 11.24 (subgroup)
September 27, 2024:
August 28, 2024 – Mandiant : I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation (note: weak overlap)
August 23, 2024 – Meta : Taking Action Against Malicious Accounts in Iran
August 20, 2024 – Proofpoint : Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset
August 20, 2024 – Recorded Future : GreenCharlie Infrastructure Linked to US Political Campaign Targeting , available as PDF
August 19, 2024 – CISA : Joint ODNI, FBI, and CISA Statement on Iranian Election Influence Efforts (Note: not explicitly identified)
August 14, 2024 – Google Threat Analysis Group (TAG): Iranian backed group steps up phishing campaigns against Israel, U.S.
August 14, 2024 – Harfang Lab : Cyclops: a likely replacement for BellaCiao
August 08, 2024 – Microsoft Threat Analysis Center Iran Targeting 2024 US Election
May 22, 2024 – Cyble : Threat Actor Profile: Magic Hound
May 10, 2024: New Jersey Cybersecurity & Communications Integration Cell (NJ-CCIC): Recent Observed Iranian State-Sponsored Cyber Threat Group Activity (ATTRIBUTION to IRGC-IO )
May 1, 2024 – Mandiant : Uncharmed: Untangling Iran's APT42 Operations
February 13, 2024 – Volexity : CharmingCypress: Innovating Persistence
January 17, 2024 – Microsoft : New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs
2023
2022
December 14, 2022 – Proofpoint : Would’ve, Could’ve, Should’ve…Did: TA453 Refuses to be Bound by Expectations
December 12, 2022 – SOCRadar : Dark Web Profile: APT42 – Iranian Cyber Espionage Group
November 29, 2022 – Recorded Future : Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank , available as PDF
September 27, 2022 – Avertium : An In-Depth Look at APT35 aka Charming Kitten
September 14, 2022 – U.S. Treasury : Treasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity (ATTRIBUTION to IRGC , links “Tunnel Vision” to Charming Kitten)
September 13, 2022 – Proofpoint : Look What You Made Me Do: TA453 Uses Multi-Persona Impersonation to Capitalize on FOMO
September 09, 2022 – CERT-FA : Charming Kitten: “Can We Have A Meeting?”
September 07, 2022 – Mandiant : APT42: Crooked Charms, Cons, and Compromises , available as PDF
September 07, 2022 – Microsoft : Profiling DEV-0270: PHOSPHORUS’ ransomware operations
August 23, 2022 – Google Threat Analysis Group (TAG): New Iranian APT data extraction tool
July 22, 2022 – PwC : Old cat, new tricks, bad habits
June 01, 2022 – Deep Instinct : Iranian Threat Actor Continues to Develop Mass Exploitation Tools
March 30, 2022 – Recorded Future : Social Engineering Remains Key Tradecraft for Iranian APTs , available as PDF
March 21, 2022 – The DFIR Report : PHOSPHORUS Automates Initial Access Using ProxyShell
March 09, 2022 – eSentire : Exploitation of VMware Horizon Servers by TunnelVision Threat Actor
February 17, 2022 – SentinelOne : Log4j2 In The Wild | Iranian-Aligned Threat Actor “TunnelVision” Actively Exploiting VMware Horizon
February 01?, 2022 – Cybereason : PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage
January 11, 2022 – Check Point Research : APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit
2021
2020
2019
2018
2017
2016
August 24, 2024
Country: People's Republic of China (PRC)
Organization: Hainan State Security Department (HSSD), of the Ministry of State Security (MSS)
Objective: Espionage
Aliases:
Bronze Mohawk (Secureworks )
Leviathan/Kryptonite Panda (CrowdStrike)
Gadolinium (formerly used by Microsoft)
Gingam Typhoon (Microsoft )
FEVERDREAM, G0065, GreenCrash, Hellsing, Mudcarp, Periscope
Temp.Periscope/ Temp.Jumper (FireEye)
Front Company
Hainan Xiandun Technology Development Co., Ltd. (海南仙盾) (Hainan Xiandun) (Note: disbanded)
Identified Members
Ding Xiaoyang (丁晓阳)
Cheng Qingmin (程庆民)
Zhu Yunmin (朱允敏)
Wu Shurong (吴淑荣)
References:
Links (Sorted in Chronological Order)
2021
2020
2019
June 9, 2024
Country: People's Republic of China
Organization: N/A
Objective: Espionage
(Page Last Updated: December 05, 2024)
Aliases:
Vulnerabilities Exploited
CVE-2024-39717 (CVSSv3.1: 6.6 medium, in CISA's KEV Catalog)
Versa Director Dangerous File Type Upload Vulnerability
Source: Lumen
CVE-2022-42475 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog)
Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability
Source: CISA
Source: Versa Networks
CVE-2023-27997 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog)
Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability
CVE-2024-21762 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog)
Fortinet FortiOS Out-of-Bound Write Vulnerability
CVE-2023-46805 (CVSSv3.1: 8.2 high, in CISA's KEV Catalog)
Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
CVE-2024-21887 (CVSSv3.1: 9.1 critical, in CISA's KEV Catalog)
Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
November 19, 2024 – Tenable : Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
November 12, 2024 – Security Scorecard : The Botnet is Back: SSC STRIKE Team Uncovers a Renewed Cyber Threat
November 05, 2024 – Bloomberg : Chinese Group Accused of Hacking Singtel in Telecom Attacks (news article, archive link)
October 31, 2024 – Sophos : Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats
August 27, 2024 – Lumen : Taking the Crossroads: The Versa Director Zero-Day Exploitation
June 12, 2024 – Natto Thoughts : Who is Volt Typhoon? A State-sponsored Actor? Or Dark Power?
April 04, 2024 – Mandiant : Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies
March 20, 2024 – ASD ACSC : PRC State-Sponsored Cyber Activity
February 14?, 2024 – Dragos : VOLTZITE Espionage Operations Targeting U.S. Critical Systems and (7 page PDF )
February 14, 2024 – Unit 42 : Threat Brief: Attacks on Critical Infrastructure Attributed to Insidious Taurus (Volt Typhoon)
February 07, 2024 – Lumen : KV-Botnet: Don’t call it a Comeback
February 07, 2024 – CISA:
January 31, 2024 – U.S. Department of Justice: U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure
January 31, 2024 – CISA : Secure by Design Alert: Security Design Improvements for SOHO Device Manufacturers and (2 page PDF )
January 11, 2024 – Security Scorecard : Threat Intelligence Research: Volt Typhoon Compromises 30% of Cisco RV320/325 Devices in 37 Days
2023
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat
May 27, 2024
Country: Russia
Organization: Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165.
Objective: Espionage
WORK IN PROGRESS! (Page last updated: September 09, 2024)
Aliases:
APT28 (MITRE , Mandiant)
Fancy Bear (CrowdStrike)
Sofacy (F-Secure)
Sednit or Sednit Group (ESET)
Group 74 (Cisco Talos Intelligence)
IRON TWILIGHT (Secureworks)
Strontium (formerly used by Microsoft)
Forest Blizzard (Microsoft )
Pawn Storm (Trend Micro)
Swallowtail (Symantec)
BlueDelta (Recorded Future)
UAC-0028 (CERT-UA)
TA422 (Proofpoint)
Fighting Ursa (Unit 42)
FROZENLAKE (Google Threat Analysis Group)
Possible Ties
Identified Members
Still parsing through the indictments.
Vulnerabilities Exploited
Coming soon! There's a lot.
Tactics, Techniques, and Procedures
Mapped to MITRE ATT&CK Navigator Layers
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
August 02, 2024 – Unit 42 : Fighting Ursa Luring Targets With Car for Sale
July 22, 2024 – Computer Emergency Response Team of Ukraine (CERT-UA ): UAC-0063 атакує науково-дослідні установи України: HATVIBE + CHERRYSPY + CVE-2024-23692 (CERT-UA#10356) (Ukrainian)
June 12, 2024 – Mandiant / Google TAG : Insights on Cyber Threats Targeting Users and Enterprises in Brazil
May 3, 2024 – U.S. State Department : The United States Condemns Malicious Cyber Activity Targeting Germany, Czechia, and Other EU Member States
April 22, 2024 – Microsoft : Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials
February 27, 2024 – NSA : Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations
February 15, 2024 – U.S. Department of Justice : Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)
February 14, 2024 – Microsoft : Staying ahead of threat actors in the age of AI
2023
2022
2021
2020
2018
2016
2015
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat