September 29, 2024
Country: People's Republic of China
Organization: N/A
Objective: Espionage
(Page Last Updated: October 05, 2024)
Aliases:
Links to other groups
Vulnerabilities Exploited
ProxyLogon (Sources: ESET , Kaspersky , Sygnia ):
CVE-2021-26855 (9.8 critical, in CISA's KEV Catalog)
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-26857 (7.8 high, in CISA's KEV Catalog)
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-26858 (7.8 high, in CISA's KEV Catalog)
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-27065 (7.8 high, in CISA's KEV Catalog)
unidentified Microsoft SharePoint and Oracle Opera business software vulnerabilities (Source: ESET )
CVE-2017-11882 (7.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper)
Microsoft Office Memory Corruption Vulnerability
Source: Trend Micro
CVE-2012-0158 (8.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper, KeyBoy)
Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability
Sources: Unit 42 , Citizen Lab
CVE-2017-0199 (7.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper)
Microsoft Office and WordPad Remote Code Execution Vulnerability
Source: Citizen Lab
CVE-2015-1641 (7.8 high, in CISA's KEV Catalog. Note: associated with alias KeyBoy)
Microsoft Office Memory Corruption Vulnerability
Source: Citizen Lab
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
2023
2022
2021
2020
2018
2017
2016
2015
2013
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat
September 23, 2024
Country: People's Republic of China
Organization: Integrity Technology Group
Objective: Espionage, Information theft
(Page last updated: September 23, 2024)
Aliases (sorted alphabetically):
Associated Company
Integrity Technology Group (Integrity Tech) (Source: FBI (PDF))
aka Yongxin Zhicheng, 永信至诚
Vulnerabilities Exploited
Source: FBI
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
2023
2022
2020
May 20, 2020?? – PRC Ministry of State Security : 前沿 | 网络靶场,未来安全的基础设施 (web archive of a MSS-run periodical reprinted on IntegrityTech's website, English translation: “Frontier | Cyber Range, the secure infrastructure of the future”)
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat
September 12, 2024
Country: Islamic Republic of Iran
Organization: Ministry of Intelligence and Security (MOIS)
Objective: Espionage, Sabotage
(Page last updated September 20, 2024)
Aliases (sorted alphabetically):
APT34 (Check Point Research , FireEye, Intezer , NSA, NSFOCUS , Trend Micro )
CHRYSENE (Dragos )
Cobalt Gypsy (Secureworks ) (primary)
Cobalt Lyceum (Secureworks )
Crambus (Symantec )
Europium (previously used by Microsoft)
Greenbug (ClearSky , Symantec )
Hazel Sandstorm (Microsoft )
Helix Kitten (CrowdStrike , Wikipedia )
HEXANE (Dragos ) (linked to Lyceum by Kaspersky)
ITG13 (IBM )
Lyceum (Kaspersky , Secureworks )
OilRig (ClearSky , Cyble , EDTA , ESET , Kaspersky , Malpedia , MITRE , Unit 42 )
TA452 (Proofpoint )
TG-2889 (formerly used by Secureworks)
Yellow Maero (PwC
Sub-group:
Known Associates
Mojtaba Mostafavi. Source: U.S. Treasury (linked by PwC, via Lab Dookhtegan leaks)
Farzin Karimi Mazlganchai: PwC
Vulnerabilities Exploited
CVE-2019-0604 (CVE , NVD . CVSSv3.1: 9.8 critical, in CISA's KEV Catalog)
Microsoft SharePoint Remote Code Execution Vulnerability
Source: Microsoft
CVE-2017-11882 (CVE , NVD . CVSSv3.1: 7.8 high, in CISA's KEV Catalog)
Microsoft Office Memory Corruption Vulnerability
Source: Mandiant
CVE-2017-0199 (CVE , NVD , CVSS3v1: 7.8 high, in CISA's KEV Catalog)
Microsoft Office and WordPad Remote Code Execution Vulnerability
Source: Unit 42
Tactics, Techniques, and Procedures (TTPs)
As listed by MITRE
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
2023
December 20, 2023 – Security Scorecard : A detailed analysis of the Menorah malware used by APT34
December 14, 2023 – ESET : OilRig’s persistent attacks using cloud service-powered downloaders
October 31, 2023 – Check Point Research : From Albania to the Middle East: The Scarred Manticore is Listening (AFFILIATED WITH MOIS)
October 19, 2023 – Symantec : Crambus: New Campaign Targets Middle Eastern Government
September 29, 2023 – Trend Micro : APT34 Deploys Phishing Attack With New Malware
September 21, 2023 – ESET : OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes
August 30, 2023 – NSFOCUS : APT34 Unleashes New Wave of Phishing Attack with Variant of SideTwist Trojan
May 09, 2023 – ESET : ESET APT Activity Report Q4 2022–Q1 2023 , specifically on page 8 in PDF (PDF)
May 08, 2023 – Kaspersky : Kaspersky experts warn of increased IT supply chain attacks by OilRig APT in the Middle East and Turkiye
February 02, 2023 – Trend Micro : New APT34 Malware Targets The Middle East
2022
2021
2020
2019
December 17, 2019 – Kaspersky : OilRig’s Poison Frog – old samples, same trick
December 04, 2019 – IBM : New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East
November 09, 2019 – NSFOCUS : APT34 Event Analysis Report
October 21, 2019 – National Security Agency : Turla Group Exploits Iranian APT To Expand Coverage Of Victims (PDF)
August 27, 2019 – Secureworks : LYCEUM Takes Center Stage in Middle East Campaign
July 18, 2019 – FireEye : Hard Pass: Declining APT34's Invite to Join Their Professional Network
July 16, 2019 – BGD e-GOV CIRT (Bangladesh): [DNSPIONAGE] – FOCUS ON INTERNAL ACTIONS
May 15, 2019 – Proofpoint : Threat Actor Profile: TA542, From Banker to Malware Distribution Service
May 06, 2019 – NSFOCUS : Analysis of File Disclosure by APT34
April 30, 2019 – Unit 42 : Behind the Scenes with OilRig
April 16, 2019 – Unit 42 : DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling
2018
2017
December 15, 2017 – Unit 42 : Introducing the Adversary Playbook: First up, OilRig
December 11, 2017 – Unit 42 : OilRig Performs Tests on the TwoFace Webshell
December 07, 2017 – FireEye : New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit
November 08, 2017 – Unit 42 : OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan
October 24, 2017 – ClearSky : Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies
October 09, 2017 – Unit 42 : OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan
September 26, 2017 – Unit 42 : Striking Oil: A Closer Look at Adversary Infrastructure
August 28, 2017 – ClearSky : Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug
July 27, 2017 – Unit 42 : OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group
July 27, 2017 – Secureworks : The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets
April 27, 2017 – Unit 42 : OilRig Actors Provide a Glimpse into Development and Testing Efforts
March 31, 2017 – LogRhythm Labs : OilRig Campaign Analysis (PDF, TLP:WHITE)
February 15, 2017 – Secureworks : Iranian PupyRAT Bites Middle Eastern Organizations
January 05, 2017 – ClearSky : Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford
2016
2015
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat
September 8, 2024
Country: People's Republic of China
Organization: Loosely connected private contractors operating on
behalf of China’s Ministry of State Security (MSS). Some have worked at Chengdu 404 Network Technology
Objective: Espionage, Information theft, Financial crime
(Page last updated: September 22, 2024)
Aliases (sorted alphabetically):
APT41 (FBI , CISA, Cisco , EDTA , FireEye, Mandiant , Kaspersky, Malpedia , Unit 42 , Zscaler )
Axiom (Note: treated as a separate threat actor)
BARIUM (formerly used by Microsoft)
Blackfly (Symantec )
Brass Typhoon (Microsoft )
Bronze Atlas (SecureWorks )
Double Dragon (Wikipedia )
Earth Baku (Trend Micro )
Grayfly (Symantec )
Red Kelpie (PWC?)
RedEcho (different threat actor from Recorded Future possible overlaps)
Redfly (not used by Symantec, but linked via ShadowPad malware)
RedGolf (officially used by Recorded Future )
SparklingGoblin (ESET )
TG-2633 (formerly used by SecureWorks)
Wicked Panda (used by CrowdStrike to track espionage)
Wicked Spider (used by CrowdStrike to track cybercrime)
Winnti, Winnti Group (Kaspersky, ESET , Cybereason , PwC)
Subgroups
Identified Members
Associated Company
Chengdu Si Lingsi (404) Network Technology Company Ltd. (成都市肆零肆网络科技有限公司)
Vulnerabilities Exploited
CVE-2018-0824 (7.5 high, in CISA's KEV Catalog)
Microsoft COM for Windows Remote Code Execution Vulnerability
Source: Cisco
CVE-2017-0199 (7.8 high, in CISA's KEV Catalog)
Microsoft Office and WordPad Remote Code Execution Vulnerability
Sources: Clearsky , Fortinet , FireEye
CVE-2019-3396 (9.8 critical, in CISA's KEV Catalog)
Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability.
Sources: FireEye , Fortinet
CVE-2015-1641 (7.8 high, in CISA's KEV Catalog)
Microsoft Office Memory Corruption Vulnerability
Source: Fortinet
CVE-2012-0158 (8.8 high, in CISA's KEV Catalog)
Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability
Sources: Fortinet , FireEye
CVE-2017-11882 (7.8 high, in CISA's KEV Catalog)
Microsoft Office Memory Corruption Vulnerability
Source: FireEye
The following 7 vulnerabilities have the same source: U.S. DOJ
CVE-2019-19781 (9.8 critical, in CISA's KEV Catalog)
Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability
Additional sources: FireEye , Fortinet
CVE-2019-11510 (10.0 critical, in CISA's KEV Catalog)
Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability
CVE-2019-16920 (9.8 critical, in CISA's KEV Catalog)
D-Link Multiple Routers Command Injection Vulnerability
CVE-2019-16278 (9.8 critical)
Nostromo 1.9.6 Directory Traversal/ Remote Command Execution Vulnerability
CVE-2019-1652 (7.2 high, in CISA's KEV Catalog)
Cisco Small Business Routers Improper Input Validation Vulnerability.
Additional source: FireEye
CVE-2019-1653 (7.5 high, in CISA's KEV Catalog)
Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability.
Additional source: FireEye
CVE-2020-10189 (9.8 critical, in CISA's KEV Catalog)
Zoho ManageEngine Desktop Central File Upload Vulnerability.
Additional sources: FireEye , Fortinet
The following 2 vulnerabilities have the same source: Mandiant
CVE-2021-44228 (10.0 critical, in CISA's KEV Catalog)
Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell).
CVE-2021-44207 (8.1 high)
Acclaim USAHERDS Hard-Coded Credentials Vulnerability
Tactics, Techniques, and Procedures
Mapped to MITRE ATT&CK Navigator Layers
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
August 04, 2024 – Trend Micro : A Dive into Earth Baku’s Latest Campaign
August 01, 2024 – Cisco Talos : APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike
July 18, 2024 – Mandiant : APT41 Has Arisen From the DUST
July 11, 2024 – Zscaler : MoonWalk: A deep dive into the updated arsenal of APT41 | Part 2
July 10, 2024 – Zscaler : DodgeBox: A deep dive into the updated arsenal of APT41 | Part 1
June 10, 2024 – Technical University of Zurich (ETH Zurich): From Vegas to Chengdu: Hacking Contests Bug Bounties, and China’s Offensive Cyber Ecosystem (research paper, PDF)
May 29, 2024 – Natto Thoughts : APT41’s Reconnaissance Techniques and Toolkit: Nmap and What Else?
May 22, 2024 – Natto Thoughts : Front Company or Real Business in China’s Cyber Operations
April 02, 2024 – Trend Micro : Earth Freybug Uses UNAPIMON for Unhooking Critical APIs (APT41 subgroup)
February 28, 2024 – Natto Thoughts : i-SOON: Kicking off the Year of the Dragon with Good Luck … or Not (more about association of i-SOON to Chengdu 404)
2023
October 27, 2023 – Natto Thoughts : i-SOON: Another Company in the APT41 Network
September 22, 2023 – Mandiant : Threat Trends: Unraveling WyrmSpy and DragonEgg Mobile Malware with Lookout
September 12, 2023 – Symantec : Redfly: Espionage Actors Continue to Target Critical Infrastructure (tenuous link via ShadowPad trojan)
July 19, 2023 – Lookout : Lookout Attributes Advanced Android Surveillanceware to Chinese Espionage Group APT41
May 02, 2023 – Trend Micro : Attack on Security Titans: Earth Longzhi Returns With New Tricks (APT41 subgroup)
April 01, 2023 – Google Cloud /Threat Analysis Group (TAG): April 2023 Threat Horizons Report (PDF, page 9: HOODOO Uses Public Tooling, Google Workspace to Target Taiwanese Media)
March 30, 2023 – Recorded Future : With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets (PDF)
February 28, 2023 – Symantec : Blackfly: Espionage Group Targets Materials Technology
2022
November 09, 2022 – Trend Micro : Hack the Real Box: APT41’s New Subgroup Earth Longzhi (APT41 subgroup)
October 18, 2022 – Symantec : Spyder Loader: Malware Seen in Recent Campaign Targeting Organizations in Hong Kong
September 22, 2022 – U.S. Health and Human Services (HHS): APT41 and Recent Activity (PDF)
September 14, 2022 – ESET : You never walk alone: The SideWalk backdoor gets a Linux variant
August 22, 2022 – Mandiant : APT41 (Double Dragon): A Dual Espionage and Cyber Crime Operation (PDF)
August 18, 2022 – Group-IB :
July 24, 2022 – Intrusion Truth : Chinese APTs: Interlinked networks and side hustles
July 23, 2022 – Intrusion Truth : The people behind Chengdu 404
July 22, 2022 – Intrusion Truth : Chengdu 404
July 21, 2022 – Intrusion Truth : The old school hackers behind APT41
July 20, 2022 – Intrusion Truth : APT41: A Case Sudy [sic]
May 02, 2022 – Cybereason :
March 08, 2022 – Mandiant : Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
February 15, 2022 – Secureworks : ShadowPad Malware Analysis
January 20, 2022 – Kaspersky : MoonBounce: the dark side of UEFI firmware
2021
October 05, 2021 – BlackBerry : Drawing a Dragon: Connecting the Dots to Find APT41
September 21, 2021 – Recorded Future : China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government Agency With Winnti Malware , available as PDF (tenuous connection via Winnti malware)
September 09, 2021 – Symantec : Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware
August 24, 2021 – ESET : The SideWalk may be as dangerous as the CROSSWALK
August 24, 2021 – Trend Micro : APT41 Resurfaces as Earth Baku With New Cyberespionage Campaign
August 20, 2021 – CISA : Chinese State-Sponsored Cyber Operations: Observed TTPs (generalized Chinese threat activity)
July 08, 2021 – Recorded Future : Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling (TAG-22 overlaps with Winnti, but is considered Aquatic Panda)
July 01, 2021 – Avast : Backdoored Client from Mongolian CA MonPass
June 10, 2021 – Group-IB : Big airline heist
April 29, 2021 – NTT : The Operations of Winnti group (PDF)
March 16, 2021 – Dragos : New ICS Threat Activity Group: VANADINITE (Winnti subgroup)
March 10, 2021 – Intezer : New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor
March 08, 2021 – Mazaher Kianpour : Socio-Technical Root Cause Analysis of Cyber-enabled Theft of the U.S. Intellectual Property — The Case of APT41 (PDF)
February 28, 2021 – Recorded Future : China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions , majority in PDF
January 14, 2021 – Positive Technologies : Higaisa or Winnti? APT41 backdoors, old and new
2020
November 11, 2020 – Microsoft : Hunting for Barium using Azure Sentinel
October 20, 2020 – CISA : Potential for China Cyber Response to Heightened U.S.–China Tensions (brief mention of APT41)
September 29, 2020 – Positive Technologies : ShadowPad: new activity from the Winnti group
September 18, 2020 – Trend Micro : U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks
September 17, 2020 – Symantec : APT41: Indictments Put Chinese Espionage Group in the Spotlight
September 16, 2020 – U.S. Department of Justice : Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally (ATTRIBUTION )
September 16, 2020 – FBI FLASH: Indictment of China-Based Cyber Actors Associated with APT 41 for Intrusion Activities (PDF)
June 11, 2020 – Zscaler : The Return of the Higaisa APT (see Positive Technologies link from January 14, 2021)
June 04, 2020 – Malwarebytes : New LNK attack tied to Higaisa APT discovered (see Positive Technologies link from January 14, 2021)
May 21, 2020 – ESET : No “Game over” for the Winnti Group
May 06, 2020 – Trend Micro : Targeted Ransomware Attack Hits Taiwan Organizations
April 20, 2020 – QuoIntelligence : WINNTI GROUP: Insights From the Past
April 13, 2020 – Unit 42 : APT41 Using New Speculoos Backdoor to Target Organizations Globally
March 25, 2020 – FireEye : This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
February ??, 2020 – PwC : Cyber Threats 2019: A Year in Retrospect (PDF, page 10)
January 31, 2020 – ESET : Winnti Group targeting universities in Hong Kong
January 31, 2020 – Tagesschau (German news): Deutsches Chemieunternehmen gehackt (German language, archive of dead link. English translated title: “German chemical company hacked”)
2019
October 31, 2019 – FireEye : MESSAGETAP: Who’s Reading Your Text Messages?
October 21, 2019 – ESET : Winnti Group's skip-2.0: A Microsoft SQL Server backdoor
October 15, 2019 – FireEye : LOWKEY: Hunting for the Missing Volume Serial ID
October 14, 2019 – ESET : Connecting the dots: Exposing the arsenal and methods of the Winnti Group , with whitepaper PDF
September 14, 2019 – VMware : CB TAU Threat Intelligence Notification: Winnti Malware 4.0
August 19, 2019 – FireEye : GAME OVER: Detecting and Stopping an APT41 Operation
August 07, 2019 – FireEye : APT41: A Dual Espionage and Cyber Crime Operation , available as PDF
July 24, 2019 – Bayerischer Rundfunk (BR): Winnti: Attacking the Heart of the German Industry
May 29, 2019 – Intezer : HiddenWasp Malware Stings Targeted Linux Systems (link to Winnti malware)
May 16, 2019 – Lab52 : Winnti Group: Geostrategic and TTP (Tactics, Techniques and Procedures)
May 15, 2019 – Chronicle : Winnti: More than just Windows and Gates
April 23, 2019 – Kaspersky : Operation ShadowHammer: a high-profile supply chain attack
March 25, 2019 – Kaspersky : Operation ShadowHammer
March 11, 2019 – ESET : Gaming industry still in the scope of attackers in Asia
2018
2017
2016
2015
2013
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat
September 5, 2024
Country: Russia
Organization: Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155)
Objective: Espionage, Sabotage, Assassinations, Influence Operations
(Page last updated: September 07, 2024)
Aliases:
Identified Members
Amin Timovich Stigal (Амин Стигал), Russian civilian hacker:
Yuriy Fedorovich Denisov (Юрий Денисов), Colonel and Commanding Officer of Cyber Operations for Unit 29155:
Vladislav Yevgenyevich Borovkov (Владислав Боровков), lieutenant in Unit 29155:
Denis Igorevich Denisenko (Денис Денисенко), lieutenant in Unit 29155:
Dmitriy Yuryevich Goloshubov (Дима Голошубов), lieutenant in Unit 29155:
Nikolay Aleksandrovich Korchagin (Николай Корчагин), lieutenant in Unit 29155:
Vulnerabilities Exploited
CVE-2017-11882 (7.8 high, in CISA's KEV Catalog)
Microsoft Office Memory Corruption Vulnerability
Source: Unit 42
The following 5 vulnerabilities have the same source: CISA
CVE-2021-33044 (9.8 critical, in CISA's KEV Catalog)
Dahua IP Camera Authentication Bypass Vulnerability
CVE-2021-33045 (9.8 critical, in CISA's KEV Catalog)
Dahua IP Camera Authentication Bypass Vulnerability
CVE-2022-26134 (9.8 critical, in CISA's KEV Catalog)
Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability
CVE-2022-26138 (9.8 critical, in CISA's KEV Catalog)
Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability
CVE-2022-3236 (9.8 critical, in CISA's KEV Catalog)
Sophos Firewall Code Injection Vulnerability
Exploitation Likely
CISA and co-authoring agencies warned on 06 September 2024 that Unit 29155 cyber actors have been observed obtaining the respective exploit scripts for the following 5 vulnerabilities:
CVE-2020-1472 (9.8 critical, in CISA's KEV Catalog)
Microsoft Netlogon Privilege Escalation Vulnerability
CVE-2021-26084 (9.8 critical, in CISA's KEV Catalog)
Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability
CVE-2021-3156 (7.8 high, in CISA's KEV Catalog)
Sudo Heap-Based Buffer Overflow Vulnerability
CVE-2021-4034 (7.8 high, in CISA's KEV Catalog)
Red Hat Polkit Out-of-Bounds Read and Write Vulnerability
CVE-2022-27666 (7.8 high)
Red Hat: IPSec ESP Local Privilege Escalation Vulnerability
Tactics, Techniques, and Procedures
Mapped to MITRE ATT&CK Navigator Layers
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
September 06, 2024 – ASD ACSC : Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure
September 05, 2024 – CISA : Russian Military Cyber Actors Target US and Global Critical Infrastructure , available as PDF
September 05, 2024 – U.S. Department of Justice :
September 05, 2024 – NSA : NSA, FBI, CISA, and Allies Issue Advisory about Russian Military Cyber Actors
September 05, 2024 – U.S. State Department : Up to $1 Million Reward Offer for Information Leading to Arrest and/or Conviction of Russian National Tim Vakhaevich Stigal
September 05, 2024 – NCSC-UK : UK and Allies uncover Russian military unit carrying out cyber attacks and digital sabotage for the first time
September 05, 2024 – BfV (Germany): Joint Cybersecurity Advisory on Russian Military Cyber Actors targeting U.S. and Global Critical Infrastructure
September 05, 2024 – KAPO (Estonia): A GRU military unit launched cyberattacks against Estonian authorities
September 05, 2024 – Estonia Prosecutor's Office: A GRU military unit launched cyberattacks against Estonian authorities
September 05, 2024 – Estonia Ministry of Foreign Affairs (MFA): Estonia names Russia’s military intelligence in a first-ever attribution of cyberattacks
September 05, 2024 – The Netherlands Military Intelligence and Security Service (MIVD): MIVD waarschuwt: Russen hebben het gemunt op westerse hulp aan Oekraïne (Dutch)
September 05, 2024 – CCCS : Russian military cyber actors target U.S. and global critical infrastructure
June 26, 2024 – U.S. Department of Justice : Russian National Charged For Conspiring With Russian Military Intelligence To Destroy Ukrainian Government Computer Systems And Data (Amin Stigal)
2023
2022
December 05, 2022 – Elastic : Operation Bleeding Bear
July 20, 2022 – USCYBERCOM : Cyber National Mission Force discloses IOCs from Ukrainian networks
July 20, 2022 – Mandiant : Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
July 13, 2022 – Malwarebytes : Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign
July 11, 2022 – CERT-UA : Attack by UAC-0056 group on state organizations of Ukraine using Cobalt Strike Beacon (CERT-UA#4941) (Ukrainian)
July 06, 2022 – CERT-UA : Cyber attack UAC-0056 on state organizations of Ukraine using Cobalt Strike Beacon (CERT-UA#4914) (Ukrainian)
April 26, 2022 – CERT-UA : UAC-0056 group cyber attack using GraphSteel and GrimPlant malware and the topic of COVID-19 (CERT-UA#4545) (Ukrainian)
April 25, 2022 – Bitdefender : Deep Dive into the Elephant Framework – A New Cyber Threat in Ukraine
April 04, 2022 – Intezer : Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
April 04, 2022 – NioGuard : Russian SaintBear Group Attacked Ukrainian Government Agencies Using GraphSteel & GrimPlant malware
April 01, 2022 – Malwarebytes : New UAC-0056 activity: There’s a Go Elephant in the room
March 30, 2022 – CrowdStrike : Who is EMBER BEAR?
March 28, 2022 – CERT-UA : Cyber attack of the UAC-0056 group on the state bodies of Ukraine using GraphSteel and GrimPlant malware (CERT-UA#4293) (Ukrainian)
March 15, 2022 – SentinelOne : Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
March 04, 2022 – Mandiant : Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation
February 25, 2022 – Unit 42 : Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
February 21, 2022 – NSFOCUS : APT Lorec53 group launched a series of cyber attacks against Ukraine
February 08, 2022 – NSFOCUS : APT Retrospection: Lorec53, An Active Russian Hack Group Launched Phishing Attacks Against Georgian Government
February 02, 2022 – CERT-UA : Cyber attack of the UAC-0056 group on state organizations of Ukraine using SaintBot and OutSteel malware (CERT-UA#3799) (Ukrainian)
January 20, 2022 – Unit 42 : Threat Brief: Ongoing Russia and Ukraine Cyber Activity
January 17, 2022 – Picus : TTPs used by DEV-0586 APT Group in WhisperGate Attack Targeting Ukraine
January 16, 2022 – NCSCC-UA on Twitter: Operation # BleedingBear
January 15, 2022 – Microsoft : Destructive malware targeting Ukrainian organizations
2021
September 2, 2024
Country: Islamic Republic of Iran
Organization: Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO)
Objective: Espionage, Intelligence collection
(Page last updated September 28, 2024)
Aliases:
Sub-group:
Vulnerabilities Exploited
Tactics, Techniques, and Procedures
Mapped to MITRE ATT&CK
External link: MITRE
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
September 27, 2024:
August 28, 2024 – Mandiant : I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation (note: weak overlap)
August 23, 2024 – Meta : Taking Action Against Malicious Accounts in Iran
August 20, 2024 – Proofpoint : Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset
August 20, 2024 – Recorded Future : GreenCharlie Infrastructure Linked to US Political Campaign Targeting , available as PDF
August 19, 2024 – CISA : Joint ODNI, FBI, and CISA Statement on Iranian Election Influence Efforts (Note: not explicitly identified)
August 14, 2024 – Google Threat Analysis Group (TAG): Iranian backed group steps up phishing campaigns against Israel, U.S.
August 14, 2024 – Harfang Lab : Cyclops: a likely replacement for BellaCiao
August 08, 2024 – Microsoft Threat Analysis Center Iran Targeting 2024 US Election
May 22, 2024 – Cyble : Threat Actor Profile: Magic Hound
May 10, 2024: New Jersey Cybersecurity & Communications Integration Cell (NJ-CCIC): Recent Observed Iranian State-Sponsored Cyber Threat Group Activity (ATTRIBUTION to IRGC-IO )
May 1, 2024 – Mandiant : Uncharmed: Untangling Iran's APT42 Operations
February 13, 2024 – Volexity : CharmingCypress: Innovating Persistence
January 17, 2024 – Microsoft : New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs
2023
2022
December 14, 2022 – Proofpoint : Would’ve, Could’ve, Should’ve…Did: TA453 Refuses to be Bound by Expectations
December 12, 2022 – SOCRadar : Dark Web Profile: APT42 – Iranian Cyber Espionage Group
November 29, 2022 – Recorded Future : Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank , available as PDF
September 27, 2022 – Avertium : An In-Depth Look at APT35 aka Charming Kitten
September 14, 2022 – U.S. Treasury : Treasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity (ATTRIBUTION to IRGC , links “Tunnel Vision” to Charming Kitten)
September 13, 2022 – Proofpoint : Look What You Made Me Do: TA453 Uses Multi-Persona Impersonation to Capitalize on FOMO
September 09, 2022 – CERT-FA : Charming Kitten: “Can We Have A Meeting?”
September 07, 2022 – Mandiant : APT42: Crooked Charms, Cons, and Compromises , available as PDF
September 07, 2022 – Microsoft : Profiling DEV-0270: PHOSPHORUS’ ransomware operations
August 23, 2022 – Google Threat Analysis Group (TAG): New Iranian APT data extraction tool
July 22, 2022 – PwC : Old cat, new tricks, bad habits
June 01, 2022 – Deep Instinct : Iranian Threat Actor Continues to Develop Mass Exploitation Tools
March 30, 2022 – Recorded Future : Social Engineering Remains Key Tradecraft for Iranian APTs , available as PDF
March 21, 2022 – The DFIR Report : PHOSPHORUS Automates Initial Access Using ProxyShell
March 09, 2022 – eSentire : Exploitation of VMware Horizon Servers by TunnelVision Threat Actor
February 17, 2022 – SentinelOne : Log4j2 In The Wild | Iranian-Aligned Threat Actor “TunnelVision” Actively Exploiting VMware Horizon
February 01?, 2022 – Cybereason : PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage
January 11, 2022 – Check Point Research : APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit
2021
2020
2019
2018
2017
2016
August 24, 2024
Country: People's Republic of China (PRC)
Organization: Hainan State Security Department (HSSD), of the Ministry of State Security (MSS)
Objective: Espionage
Aliases:
Bronze Mohawk (Secureworks )
Leviathan/Kryptonite Panda (CrowdStrike)
Gadolinium (formerly used by Microsoft)
Gingam Typhoon (Microsoft )
FEVERDREAM, G0065, GreenCrash, Hellsing, Mudcarp, Periscope
Temp.Periscope/ Temp.Jumper (FireEye)
Front Company
Hainan Xiandun Technology Development Co., Ltd. (海南仙盾) (Hainan Xiandun) (Note: disbanded)
Identified Members
Ding Xiaoyang (丁晓阳)
Cheng Qingmin (程庆民)
Zhu Yunmin (朱允敏)
Wu Shurong (吴淑荣)
References:
Links (Sorted in Chronological Order)
2021
2020
2019
June 9, 2024
Country: People's Republic of China
Organization: N/A
Objective: Espionage
(Page Last Updated: September 08, 2024)
Aliases:
Vulnerabilities Exploited
CVE-2024-39717 (CVSSv3.1: 6.6 medium, in CISA's KEV Catalog)
Versa Director Dangerous File Type Upload Vulnerability
Source: Lumen
CVE-2022-42475 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog)
Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability
Source: CISA
Source: Versa Networks
CVE-2023-27997 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog)
Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability
CVE-2024-21762 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog)
Fortinet FortiOS Out-of-Bound Write Vulnerability
CVE-2023-46805 (CVSSv3.1: 8.2 high, in CISA's KEV Catalog)
Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
CVE-2024-21887 (CVSSv3.1: 9.1 critical, in CISA's KEV Catalog)
Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
August 27, 2024 – Lumen : Taking the Crossroads: The Versa Director Zero-Day Exploitation
June 12, 2024 – Natto Thoughts : Who is Volt Typhoon? A State-sponsored Actor? Or Dark Power?
April 04, 2024 – Mandiant : Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies
March 20, 2024 – ASD ACSC : PRC State-Sponsored Cyber Activity
February 14?, 2024 – Dragos : VOLTZITE Espionage Operations Targeting U.S. Critical Systems and (7 page PDF )
February 14, 2024 – Unit 42 : Threat Brief: Attacks on Critical Infrastructure Attributed to Insidious Taurus (Volt Typhoon)
February 07, 2024 – Lumen : KV-Botnet: Don’t call it a Comeback
February 07, 2024 – CISA:
January 31, 2024 – U.S. Department of Justice: U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure
January 31, 2024 – CISA : Secure by Design Alert: Security Design Improvements for SOHO Device Manufacturers and (2 page PDF )
January 11, 2024 – Security Scorecard : Threat Intelligence Research: Volt Typhoon Compromises 30% of Cisco RV320/325 Devices in 37 Days
2023
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat
May 27, 2024
Country: Russia
Organization: Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165.
Objective: Espionage
WORK IN PROGRESS! (Page last updated: September 09, 2024)
Aliases:
APT28 (MITRE , Mandiant)
Fancy Bear (CrowdStrike)
Sofacy (F-Secure)
Sednit or Sednit Group (ESET)
Group 74 (Cisco Talos Intelligence)
IRON TWILIGHT (Secureworks)
Strontium (formerly used by Microsoft)
Forest Blizzard (Microsoft )
Pawn Storm (Trend Micro)
Swallowtail (Symantec)
BlueDelta (Recorded Future)
UAC-0028 (CERT-UA)
TA422 (Proofpoint)
Fighting Ursa (Unit 42)
FROZENLAKE (Google Threat Analysis Group)
Possible Ties
Identified Members
Still parsing through the indictments.
Vulnerabilities Exploited
Coming soon! There's a lot.
Tactics, Techniques, and Procedures
Mapped to MITRE ATT&CK Navigator Layers
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
August 02, 2024 – Unit 42 : Fighting Ursa Luring Targets With Car for Sale
July 22, 2024 – Computer Emergency Response Team of Ukraine (CERT-UA ): UAC-0063 атакує науково-дослідні установи України: HATVIBE + CHERRYSPY + CVE-2024-23692 (CERT-UA#10356) (Ukrainian)
June 12, 2024 – Mandiant / Google TAG : Insights on Cyber Threats Targeting Users and Enterprises in Brazil
May 3, 2024 – U.S. State Department : The United States Condemns Malicious Cyber Activity Targeting Germany, Czechia, and Other EU Member States
April 22, 2024 – Microsoft : Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials
February 27, 2024 – NSA : Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations
February 15, 2024 – U.S. Department of Justice : Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)
February 14, 2024 – Microsoft : Staying ahead of threat actors in the age of AI
2023
2022
2021
2020
2018
2016
2015
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat
May 26, 2024
Country: Russia
Organization: Foreign Intelligence Service (SVR)
Objective: Espionage
Aliases:
APT29 (MITRE , Mandiant, Kaspersky, BlackBerry, Infoblox, )
Cozy Bear (CrowdStrike)
The Dukes (F-Secure)
Group 100 (Talos)
Iron Hemlock (SecureWorks)
Nobelium (formerly used by Microsoft)
Midnight Blizzard (Microsoft )
Iron Hemlock (SecureWorks)
Cloaked Ursa (Palo Alto)
BlueBravo (Recorded Future)
Cloaked Ursa (Unit 42)
Links