Not Simon 🐐

Country: Islamic Republic of Iran Organization: Ministry of Intelligence and Security (MOIS) Objective: Espionage (Page last updated October 26, 2024)

Aliases:

  • MuddyWater (CERTFA, Check Point, Cisco Talos Intelligence, Clearsky, Deep Instinct, ESET Research, Group-IB, MITRE, Kaspersky, Trellix, Unit 42)
  • Seedworm (Symantec)
  • TEMP.Zagros (FireEye)
  • Static Kitten (CrowdStrike)
  • MERCURY (formerly used by Microsoft)
  • Mango Sandstorm (Microsoft)
  • Boggy Serpens (Unit 42)
  • ENT-11 (NTT Security)
  • TA450 (Proofpoint)
  • Cobalt Ulster (SecureWorks)
  • ATK 51 (Thales)
  • T-APT-14 (Tencent)
  • ITG17 (IBM)
  • Yellow Nix (PWC)
  • Earth Vetala (Trend Micro)

Vulnerabilities Exploited

  • CVE-2023-27350 (CVSSv3: 9.8 critical) PaperCut MF/NG Improper Access Control Vulnerability. Source: Microsoft
  • CVE-2021-45046 (CVSSv3: 9.0 critical) Apache Log4j2 Remote Code Execution Vulnerability (also related to Log4Shell). Source: Microsoft
  • CVE-2021-44228 (CVSSv3: 10.0 critical) Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell). Source: Microsoft
  • CVE-2020-0688 (CVSSv3: 8.8 high) Microsoft Exchange Validation Key Remote Code Execution Vulnerability. Source: CISA, SentinelOne
  • CVE-2020-1472 (CVSSv3: 10.0 critical) Netlogon Elevation of Privilege Vulnerability (aka ZeroLogon). Source: Clearsky, CISA
  • CVE-2020-0688 (CVSSv3: 8.8 high) Microsoft Exchange Validation Key Remote Code Execution Vulnerability. Source: Clearsky
  • CVE-2017-0199 (CVSSv3: 7.8 high) Microsoft Office/WordPad Remote Code Execution Vulnerability. Source: Clearsky, CISA

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

2023

2022

2021

2020

2019

2018

2017

Country: People's Republic of China (PRC) Organization: Hubei State Security Department (HSSD), of the Ministry of State Security (MSS) Objective: Espionage

Aliases:

  • BRONZE VINEWOOD (Secureworks)
  • Judgment Panda (CrowdStrike)
  • Red keres (PwC)
  • TA412 (Proofpoint)
  • Violet Typhoon (Microsoft)
  • ZIRCONIUM (formerly used by Microsoft, MITRE)
  • RedBravo (Recorded Future)

Front Company

  • Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ, 武汉晓睿智科技有限责任公司)

Identified Members

  • Ni Gaobin (倪高彬)
  • Weng Ming (翁明)
  • Cheng Feng (程锋)
  • Peng Yaowen (彭耀文)
  • Sun Xiaohui (孙小辉)
  • Xiong Wang (熊旺)
  • Zhao Guangzong (赵光宗)

Country: Russia Organization: Military Unit 74455, of the Main Center for Special Technologies (GTsST), of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), formerly known as the Main Intelligence Directorate Objective: Espionage, Attack, Influence Operations

Aliases:

  • UAC-0133 (CERT-UA)
  • Sandworm Team (Trend Micro, MITRE)
  • Sandworm (ESET, Rapid7)
  • Iron Viking (SecureWorks)
  • CTG-7263 (SecureWorks)
  • APT44 (Google Cloud, Mandiant)
  • FROZENBARENTS (Google Threat Analysis Group)
  • IRIDIUM (formerly used by Microsoft)
  • Seashell Blizzard (Microsoft)
  • Voodoo Bear (CrowdStrike)
  • ELECTRUM (Dragos)
  • Quedagh
  • Black Energy (Group)
  • TEMP.Noble

Personas Used

  • Cyber Army of Russia Reborn

Identified Members

Country: Russian Federation Organization: Federal Security Service (FSB) Center 18 Motivation: Espionage (Page last updated October 02, 2024)

Aliases

  • SEABORGIUM (formerly used by Microsoft)
  • Star Blizzard (Microsoft)
  • TA446 (Proofpoint)
  • COLDRIVER (Google Threat Analysis Group)
  • TAG-53 (formerly used by Recorded Future)
  • BlueCharlie (Recorded Future)
  • Iron Frontier (Secureworks)
  • Blue Callisto (PwC)
  • Calisto (Sekoia)
  • The Callisto Group (F-Secure, now called WithSecure)
  • UNC4057 (Mandiant)
  • Gossamer Bear (CrowdStrike)

Identified Members

References (Sorted by Chronological Order)

2024

2023

2022

2017