Not Simon 🐐

APT28

May 27, 2024

Country: Russia Organization: Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. Objective: Espionage WORK IN PROGRESS! (Page last updated: September 09, 2024)

Aliases:

APT28 (MITRE, Mandiant)
Fancy Bear (CrowdStrike)
Sofacy (F-Secure)
Sednit or Sednit Group (ESET)
Group 74 (Cisco Talos Intelligence)
IRON TWILIGHT (Secureworks)
Strontium (formerly used by Microsoft)
Forest Blizzard (Microsoft)
Pawn Storm (Trend Micro)
Swallowtail (Symantec)
BlueDelta (Recorded Future)
UAC-0028 (CERT-UA)
TA422 (Proofpoint)
Fighting Ursa (Unit 42)
FROZENLAKE (Google Threat Analysis Group)

Possible Ties

UAC-0063 (according to CERT-UA)

Identified Members

Still parsing through the indictments.

Vulnerabilities Exploited

Coming soon! There's a lot.

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK Navigator Layers

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2016

August 06, 2016 – Microsoft: Microsoft Corporation v. John Does 1-2 (PDF, Civil Action No: 1:16-CV-993)

2015

November 16, 2015 – Microsoft: Microsoft Security Intelligence Report Volume 19 (PDF, page 13)

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

APT29

May 26, 2024

Country: Russia Organization: Foreign Intelligence Service (SVR) Objective: Espionage

Aliases:

APT29 (MITRE, Mandiant, Kaspersky, BlackBerry, Infoblox, )
Cozy Bear (CrowdStrike)
The Dukes (F-Secure)
Group 100 (Talos)
Iron Hemlock (SecureWorks)
Nobelium (formerly used by Microsoft)
Midnight Blizzard (Microsoft)
Iron Hemlock (SecureWorks)
Cloaked Ursa (Palo Alto)
BlueBravo (Recorded Future)
Cloaked Ursa (Unit 42)

Links

CISA:
- SVR Cyber Actors Adapt Tactics for Initial Cloud Access (February 26, 2024)
- Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally (December 13, 2023)
- Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise (May 21, 2021)
- Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders (April 26, 2021)
- Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool (April 15, 2021)
- Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments (January 8, 2021)
- Enhanced Analysis of GRIZZLY STEPPE Activity (February 10, 2017)
NCSC-UK:
- UK and allies expose evolving tactics of Russian cyber actors (February 26, 2024)
- Joint advisory: Further TTPs associated with SVR cyber actors (May 7, 2021)
- Advisory: APT29 targets COVID-19 vaccine development (July 16, 2020)
Mandiant: APT29 Uses WINELOADER to Target German Political Parties (March 22, 2024)
Microsoft:
- Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard (March 08, 2024)
- Midnight Blizzard: Guidance for responders on nation-state attack (January 25, 2024)
- Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard (January 19, 2024)
- Midnight Blizzard conducts targeted social engineering over Microsoft Teams (August 2, 2023)
- MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone (August 24, 2022)
- NOBELIUM targeting delegated administrative privileges to facilitate broader attacks (October 25, 2021)

MuddyWater

May 26, 2024

Country: Islamic Republic of Iran Organization: Ministry of Intelligence and Security (MOIS) Objective: Espionage (Page last updated December 05, 2024)

Aliases:

ATK 51 (Thales)
Cobalt Ulster (SecureWorks)
Boggy Serpens (Unit 42)
Earth Vetala (Trend Micro)
ENT-11 (NTT Security)
ITG17 (IBM)
Mango Sandstorm (Microsoft)
MERCURY (formerly used by Microsoft)
MuddyWater (CERTFA, Check Point, Cisco Talos Intelligence, Clearsky, Deep Instinct, ESET Research, Group-IB, MITRE, Kaspersky, Trellix, Unit 42)
Seedworm (Symantec)
Static Kitten (CrowdStrike)
T-APT-14 (Tencent)
TA450 (Proofpoint)
TEMP.Zagros (FireEye)
Yellow Nix (PWC)

Vulnerabilities Exploited

CVE-2023-27350 (CVSSv3: 9.8 critical) PaperCut MF/NG Improper Access Control Vulnerability. Source: Microsoft
CVE-2021-45046 (CVSSv3: 9.0 critical) Apache Log4j2 Remote Code Execution Vulnerability (also related to Log4Shell). Source: Microsoft
CVE-2021-44228 (CVSSv3: 10.0 critical) Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell). Source: Microsoft
CVE-2020-0688 (CVSSv3: 8.8 high) Microsoft Exchange Validation Key Remote Code Execution Vulnerability. Source: CISA, SentinelOne
CVE-2020-1472 (CVSSv3: 10.0 critical) Netlogon Elevation of Privilege Vulnerability (aka ZeroLogon). Source: Clearsky, CISA
CVE-2020-0688 (CVSSv3: 8.8 high) Microsoft Exchange Validation Key Remote Code Execution Vulnerability. Source: Clearsky
CVE-2017-0199 (CVSSv3: 7.8 high) Microsoft Office/WordPad Remote Code Execution Vulnerability. Source: Clearsky, CISA

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

November 20, 2024 – Sophos: Sophos MDR blocks and tracks activity from probable Iranian state actor “MuddyWater”
October 30, 2024 – Cisco Talos: Writing a BugSleep C2 server and detecting its traffic with Snort (malware analysis)
October 22, 2024 – k3yp0d: Something phishy is happening in Armenia (independent researcher)
July 15, 2024 – Sekoia: MuddyWater replaces Atera by custom MuddyRot implant in a recent campaign
July 15, 2024 – Check Point Research: New BugSleep Backdoor Deployed in Recent MuddyWater Campaigns
May 14, 2024 – ESET Research: ESET APT Activity Report Q4 2023–Q1 2024
April 24, 2024 – Broadcom: Seedworm exploits Atera Agent in a spear-phishing Campaign
22 April 2024 – HarfangLab: Increased activity from Iran sponsored APT MuddyWater, targeting Middle East, African & European organisations.
April 08, 2024: Unit 42: Boggy Serpens (MuddyWater) Use of AutodialDLL
April 07, 2024 – Broadcom: Seedworm distributing remote administration management software agents
March 29, 2024 – Malwation: New MuddyWater Campaigns After Operation Swords of Iron
March 21, 2024 – Proofpoint: Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign
March 07, 2024 – Israel National Cyber Directorate: An active phishing campaign in Israeli territory – the Iranian attack group MuddyWater (Hebrew language)

2023

December 19, 2023 – Symantec: Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa
November 08, 2023 – Deep Instinct: MuddyC2Go – Latest C2 Framework Used by Iranian APT MuddyWater Spotted in Israel
November 01, 2023 – Deep Instinct: MuddyWater eN-Able spear-phishing with new TTPs
June 29, 2023 – Deep Instinct: PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater
May 5, 2023 – Microsoft: Twitter: “Microsoft has now observed Iranian state-sponsored threat actors Mint Sandstorm (PHOSPHORUS) & Mango Sandstorm (MERCURY) exploiting CVE-2023-27350.”
May 02 2023 – ESET Research: APT groups muddying the waters for MSPs
April 18, 2023 – Group-IB: SimpleHarm: Tracking MuddyWater’s infrastructure
April 07, 2023 – Microsoft: MERCURY and DEV-1084: Destructive attack on hybrid environment

2022

December 08, 2022 – Deep Instinct: New MuddyWater Threat: Old Kitten; New Tricks
September 09, 2022 – U.S. Treasury: Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities
August 25, 2022 – Microsoft: MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations
June 21, 2022 – Lab52: MuddyWater’s “light” first-stager targeting Middle East
May 11, 2022 – NTT Security: Analysis of an Iranian APTs “E400” PowGoop variant reveals dozens of control servers dating back to 2020
March 14, 2022 – EclecticIQ: MuddyWater APT attributed to Iranian Ministry of Intelligence and Security, and the Increasing Global Ransomware Threat
March 10, 2022 – Cisco Talos: Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups
February 24, 2022 – CISA: Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
- February 24, 2022 – NCSC-UK: Malware Analysis Report: Small Sieve (PDF)
January 31, 2022 – Cisco Talos: Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables
January 13, 2022 – Picus: TTPs and IOCs Used by MuddyWater APT Group in Latest Attack Campaign
January 12, 2022 – USCYBERCOM: Iranian intel cyber suite of malware uses open source tools (ATTRIBUTION)
January 12, 2022 – SentinelOne: Wading Through Muddy Waters | Recent Activity of an Iranian State-Sponsored Threat Actor

2021

December 14, 2021 – Symantec: Espionage Campaign Targets Telecoms Organizations across Middle East and Asia
March 05, 2021 – Trend Micro: Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East
February 10, 2021 – Anomali: Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies

2020

October 21, 2020 – Symantec: Seedworm: Iran-Linked Group Continues to Target Organizations in the Middle East
October 15, 2020 – Clearsky: Operation Quicksand
February 26, 2020 – Secureworks: Business as Usual for Iranian Operations Despite Increased Tensions

2019

June 09, 2019 – Trend Micro: New MuddyWater Activities Uncovered (PDF)
June 06, 2019 – Clearsky: Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal
May 29, 2019 – Group-IB: Catching fish in muddy waters
May 20, 109 – Cisco Talos: Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques
April 29, 2019 – Kaspersky: I know what you did last summer, MuddyWater blending in the crowd
April 15, 2019 – Clearsky: Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey
April 10, 2019 – Check Point: The Muddy Waters of APT Attacks
March 07, 2019 – NSHC: SectorD02 PowerShell Backdoor Analysis

2018

December 10, 2018 – Symantec: Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms
November 30, 2018 – Trend Micro: New PowerShell-based Backdoor, MuddyWater Similarities
November 28, 2018 – Clearsky: MuddyWater Operations in Lebanon and Oman
October 10, 2018 – Kaspersky: MuddyWater expands operations
June 14, 2018 – Trend Micro: Potential MuddyWater Campaign uses PRB-Backdoor
March 13, 2018 – FireEye: Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign
March 12, 2018 – Trend Micro: Potential MuddyWater Campaign Seen in the Middle East
March 10, 2018 – Security 0wnage: A Quick Dip into MuddyWater's Recent Activity
February 01, 2018 – Security 0wnage: Burping on MuddyWater

2017

November 14, 2017 – Unit 42: Muddying the Water: Targeted Attacks in the Middle East
October 04, 2017 – Security 0wnage: Continued Activity targeting the Middle East

APT31

May 26, 2024

Country: People's Republic of China (PRC) Organization: Hubei State Security Department (HSSD), of the Ministry of State Security (MSS) Objective: Espionage (Page Last Updated: December 05, 2024)

Aliases:

BRONZE VINEWOOD (Secureworks)
Judgment Panda (CrowdStrike)
Red keres (PwC)
TA412 (Proofpoint)
Violet Typhoon (Microsoft)
ZIRCONIUM (formerly used by Microsoft, MITRE)
RedBravo (Recorded Future)

Front Company

Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ, 武汉晓睿智科技有限责任公司)

Identified Members

Ni Gaobin (倪高彬)
Weng Ming (翁明)
Cheng Feng (程锋)
Peng Yaowen (彭耀文)
Sun Xiaohui (孙小辉)
Xiong Wang (熊旺)
Zhao Guangzong (赵光宗)

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

October 31, 2024 – Sophos: Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats
March 25, 2024:
- U.S. Department of Justice: Seven Hackers Associated with Chinese Government Charged with Computer Intrusions Targeting Perceived Critics of China and U.S. Businesses and Politicians
- U.S. State Department: U.S. Takes Action to Further Disrupt PRC Cyber Activities
- Rewards for Justice: APT31/Wuhan Xiaoruizhi Science &Technology Company, Ltd.
- U.S. Treasury: Treasury Sanctions China-Linked Hackers for Targeting U.S. Critical Infrastructure
- United Kingdom: UK holds China state-affiliated organisations and individuals responsible for malicious cyber activity
- NCSC-UK: UK calls out China state-affiliated actors for malicious cyber targeting of UK democratic institutions and parliamentarians

2021

CERT-FR: (Update) APT31 modus operandi attack campaign targeting France (French language)

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Sandworm

May 26, 2024

Country: Russia Organization: Military Unit 74455, of the Main Center for Special Technologies (GTsST), of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), formerly known as the Main Intelligence Directorate Objective: Espionage, Attack, Influence Operations

Aliases:

UAC-0133 (CERT-UA)
Sandworm Team (Trend Micro, MITRE)
Sandworm (ESET, Rapid7)
Iron Viking (SecureWorks)
CTG-7263 (SecureWorks)
APT44 (Google Cloud, Mandiant)
FROZENBARENTS (Google Threat Analysis Group)
IRIDIUM (formerly used by Microsoft)
Seashell Blizzard (Microsoft)
Voodoo Bear (CrowdStrike)
ELECTRUM (Dragos)
Quedagh
Black Energy (Group)
TEMP.Noble

Personas Used

Cyber Army of Russia Reborn

Identified Members

Yuriy Sergeyevich Andrienko:
- Rewards for Justice
- FBI Most Wanted
Sergey Vladimirovich Detistov:
- Rewards for Justice
- FBI Most Wanted
Pavel Valeryevich Frolov:
- Rewards for Justice
- FBI Most Wanted
Anatoliy Sergeyevich Kovalev:
- Rewards for Justice
- FBI Most Wanted
Artem Valeryevich Ochichenko:
- Rewards for Justice
- FBI Most Wanted
Petr Nikolayevich Pliskin:
- Rewards for Justice
- FBI Most Wanted

Links

U.S. Department of Defense: New Sandworm malware Cyclops Blink replaces VPNFilter (PDF, February 23, 2022)
U.S. Department of Justice:
- Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace (October 19, 2020)
- Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU) (April 6, 2022)
CISA: Infamous Chisel Malware Analysis Report (August 31, 2023)
NSA: Government Agencies Report New Russian Malware Targets Ukrainian Military (August 31, 2023)
NCSC-UK: New Sandworm malware Cyclops Blink replaces VPNFilter (February 23, 2022)

Callisto Group

May 26, 2024

Country: Russian Federation Organization: Federal Security Service (FSB) Center 18 Motivation: Espionage (Page last updated October 02, 2024)

Aliases

SEABORGIUM (formerly used by Microsoft)
Star Blizzard (Microsoft)
TA446 (Proofpoint)
COLDRIVER (Google Threat Analysis Group)
TAG-53 (formerly used by Recorded Future)
BlueCharlie (Recorded Future)
Iron Frontier (Secureworks)
Blue Callisto (PwC)
Calisto (Sekoia)
The Callisto Group (F-Secure, now called WithSecure)
UNC4057 (Mandiant)
Gossamer Bear (CrowdStrike)

Identified Members

Ruslan Aleksandrovich Peretyatko
- Rewards for Justice
- FBI Most Wanted
Andrey Stanislavovich Korinets
- Rewards for Justice
- FBI Most Wanted

References (Sorted by Chronological Order)

2024

October 01, 2024 – Zimperium: Zimperium Coverage on COLDRIVER Phishing Campaign
September 07, 2024 – Free Russia Foundation: Free Russia Foundation Response to Data Breach
April 25, 2024 – Mandiant: Poll Vaulting: Cyber Threats to Global Elections

2023

December 13, 2023 – Sekoia: CALISTO doxxing: Sekoia.io findings concurs to Reuters’ investigation on FSB-related Andrey Korinets
December 8, 2023:
- NCSC-NZ: Joint Advisory: Russian state cyber actors’ global spear-phishing campaigns
- ACSC ASD: Russian FSB cyber actor Star Blizzard continues worldwide spear-phishing campaigns
December 7, 2023: (ATTRIBUTION)
- NCSC-UK: Russian FSB cyber actor Star Blizzard continues worldwide spear-phishing campaigns
- United Kingdom: UK exposes attempted Russian cyber interference in politics and democratic processes
- CISA: Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns
- FBI: Russian FSB cyber actor Star Blizzard continues worldwide spear-phishing campaigns. (PDF)
- U.S. Cyber Command: US, Allies Highlight Russian-State Cyber Actor “Star Blizzard” Spear-phishing Campaigns
- U.S. Department of Justice: Two Russian Nationals Working with Russia’s Federal Security Service Charged with Global Computer Intrusion Campaign
- U.S. Treasury: United States and the United Kingdom Sanction Members of Russian State Intelligence-Sponsored Advanced Persistent Threat Group
- U.S. State Department: U.S. Takes Action to Further Disrupt Russian Cyber Activities
- Microsoft: Star Blizzard increases sophistication and evasion in ongoing attacks
August 02, 2023 – Recorded Future: BlueCharlie, Previously Tracked as TAG-53, Continues to Deploy New Infrastructure in 2023
February 15, 2023 – Mandiant/Google TAG: Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape (PDF)
January 26, 2023 – NCSC-UK: SEABORGIUM and TA453 continue their respective spear-phishing campaigns against targets of interest
January 06, 2023 – Reuters: Exclusive: Russian hackers targeted U.S. nuclear scientists (News article)

2022

December 05, 2022:
- Sekoia: Calisto show interests into entities involved in Ukraine war support
- Recorded Future: Exposing TAG-53’s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations
December 02, 2022 – PwC: Blue Callisto orbits around US Laboratories in 2022
August 15, 2022 – Microsoft: Disrupting SEABORGIUM’s ongoing phishing operations
June 22, 2022 – Sekoia: CALISTO continues its credential harvesting campaign
May 03, 2022 – Google Threat Analysis Group: Update on cyber activity in Eastern Europe
March 30, 2022 – Google Threat Analysis Group: Tracking cyber activity in Eastern Europe

2017

April 13, 2017 – F-Secure: The Callisto Group (PDF)