Not Simon 🐐

Country: People's Republic of China (PRC) Organization: Hubei State Security Department (HSSD), of the Ministry of State Security (MSS) Objective: Espionage (Page Last Updated: December 05, 2024)

Aliases:

• BRONZE VINEWOOD (Secureworks)
• Judgment Panda (CrowdStrike)
• Red keres (PwC)
• TA412 (Proofpoint)
• Violet Typhoon (Microsoft)
• ZIRCONIUM (formerly used by Microsoft, MITRE)
• RedBravo (Recorded Future)

Front Company

• Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ, 武汉晓睿智科技有限责任公司)

Identified Members

• Ni Gaobin (倪高彬)
• Weng Ming (翁明)
• Cheng Feng (程锋)
• Peng Yaowen (彭耀文)
• Sun Xiaohui (孙小辉)
• Xiong Wang (熊旺)
• Zhao Guangzong (赵光宗)

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

• October 31, 2024 – Sophos: Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats
• March 25, 2024:
  • U.S. Department of Justice: Seven Hackers Associated with Chinese Government Charged with Computer Intrusions Targeting Perceived Critics of China and U.S. Businesses and Politicians
  • U.S. State Department: U.S. Takes Action to Further Disrupt PRC Cyber Activities
  • Rewards for Justice: APT31/Wuhan Xiaoruizhi Science &Technology Company, Ltd.
  • U.S. Treasury: Treasury Sanctions China-Linked Hackers for Targeting U.S. Critical Infrastructure
  • United Kingdom: UK holds China state-affiliated organisations and individuals responsible for malicious cyber activity
  • NCSC-UK: UK calls out China state-affiliated actors for malicious cyber targeting of UK democratic institutions and parliamentarians

2021

• CERT-FR: (Update) APT31 modus operandi attack campaign targeting France (French language)

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Country: Russia Organization: Military Unit 74455, of the Main Center for Special Technologies (GTsST), of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), formerly known as the Main Intelligence Directorate Objective: Espionage, Attack, Influence Operations

Aliases:

• UAC-0133 (CERT-UA)
• Sandworm Team (Trend Micro, MITRE)
• Sandworm (ESET, Rapid7)
• Iron Viking (SecureWorks)
• CTG-7263 (SecureWorks)
• APT44 (Google Cloud, Mandiant)
• FROZENBARENTS (Google Threat Analysis Group)
• IRIDIUM (formerly used by Microsoft)
• Seashell Blizzard (Microsoft)
• Voodoo Bear (CrowdStrike)
• ELECTRUM (Dragos)
• Quedagh
• Black Energy (Group)
• TEMP.Noble

Personas Used

• Cyber Army of Russia Reborn

Identified Members

• Yuriy Sergeyevich Andrienko:
  • Rewards for Justice
  • FBI Most Wanted
• Sergey Vladimirovich Detistov:
  • Rewards for Justice
  • FBI Most Wanted
• Pavel Valeryevich Frolov:
  • Rewards for Justice
  • FBI Most Wanted
• Anatoliy Sergeyevich Kovalev:
  • Rewards for Justice
  • FBI Most Wanted
• Artem Valeryevich Ochichenko:
  • Rewards for Justice
  • FBI Most Wanted
• Petr Nikolayevich Pliskin:
  • Rewards for Justice
  • FBI Most Wanted

Links

• U.S. Department of Defense: New Sandworm malware Cyclops Blink replaces VPNFilter (PDF, February 23, 2022)
• U.S. Department of Justice:
  • Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace (October 19, 2020)
  • Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU) (April 6, 2022)
• CISA: Infamous Chisel Malware Analysis Report (August 31, 2023)
• NSA: Government Agencies Report New Russian Malware Targets Ukrainian Military (August 31, 2023)
• NCSC-UK: New Sandworm malware Cyclops Blink replaces VPNFilter (February 23, 2022)

Country: Russian Federation Organization: Federal Security Service (FSB) Center 18 Motivation: Espionage (Page last updated January 16, 2025)

Aliases

• SEABORGIUM (formerly used by Microsoft)
• Star Blizzard (Microsoft)
• TA446 (Proofpoint)
• COLDRIVER (Google Threat Analysis Group)
• TAG-53 (formerly used by Recorded Future)
• BlueCharlie (Recorded Future)
• Iron Frontier (Secureworks)
• Blue Callisto (PwC)
• Calisto (Sekoia)
• The Callisto Group (F-Secure, now called WithSecure)
• UNC4057 (Mandiant)
• Gossamer Bear (CrowdStrike)

Identified Members

• Ruslan Aleksandrovich Peretyatko
  • Rewards for Justice
  • FBI Most Wanted
• Andrey Stanislavovich Korinets
  • Rewards for Justice
  • FBI Most Wanted

References (Sorted by Chronological Order)

2025

• January 16, 2025 – Microsoft: New Star Blizzard spear-phishing campaign targets WhatsApp accounts

2024

• October 01, 2024 – Zimperium: Zimperium Coverage on COLDRIVER Phishing Campaign
• September 07, 2024 – Free Russia Foundation: Free Russia Foundation Response to Data Breach
• April 25, 2024 – Mandiant: Poll Vaulting: Cyber Threats to Global Elections

2023

• December 13, 2023 – Sekoia: CALISTO doxxing: Sekoia.io findings concurs to Reuters’ investigation on FSB-related Andrey Korinets
• December 8, 2023:
  • NCSC-NZ: Joint Advisory: Russian state cyber actors’ global spear-phishing campaigns
  • ACSC ASD: Russian FSB cyber actor Star Blizzard continues worldwide spear-phishing campaigns
• December 7, 2023: (ATTRIBUTION)
  • NCSC-UK: Russian FSB cyber actor Star Blizzard continues worldwide spear-phishing campaigns
  • United Kingdom: UK exposes attempted Russian cyber interference in politics and democratic processes
  • CISA: Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns
  • FBI: Russian FSB cyber actor Star Blizzard continues worldwide spear-phishing campaigns. (PDF)
  • U.S. Cyber Command: US, Allies Highlight Russian-State Cyber Actor “Star Blizzard” Spear-phishing Campaigns
  • U.S. Department of Justice: Two Russian Nationals Working with Russia’s Federal Security Service Charged with Global Computer Intrusion Campaign
  • U.S. Treasury: United States and the United Kingdom Sanction Members of Russian State Intelligence-Sponsored Advanced Persistent Threat Group
  • U.S. State Department: U.S. Takes Action to Further Disrupt Russian Cyber Activities
  • Microsoft: Star Blizzard increases sophistication and evasion in ongoing attacks
• August 02, 2023 – Recorded Future: BlueCharlie, Previously Tracked as TAG-53, Continues to Deploy New Infrastructure in 2023
• February 15, 2023 – Mandiant/Google TAG: Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape (PDF)
• January 26, 2023 – NCSC-UK: SEABORGIUM and TA453 continue their respective spear-phishing campaigns against targets of interest
• January 06, 2023 – Reuters: Exclusive: Russian hackers targeted U.S. nuclear scientists (News article)

2022

• December 05, 2022:
  • Sekoia: Calisto show interests into entities involved in Ukraine war support
  • Recorded Future: Exposing TAG-53’s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations
• December 02, 2022 – PwC: Blue Callisto orbits around US Laboratories in 2022
• August 15, 2022 – Microsoft: Disrupting SEABORGIUM’s ongoing phishing operations
• June 22, 2022 – Sekoia: CALISTO continues its credential harvesting campaign
• May 03, 2022 – Google Threat Analysis Group: Update on cyber activity in Eastern Europe
• March 30, 2022 – Google Threat Analysis Group: Tracking cyber activity in Eastern Europe

2017

• April 13, 2017 – F-Secure: The Callisto Group (PDF)