Who they are and what they have done.
February 16, 2023
Author: Lily Pouliot
Group Name: Carbon Spider
Source: CrowdStrike
Location: Unknown
About:
- Another common name for Carbon Spider is FIN7.
- The group has been active since 2013 and is known as an incredibly skilled criminal group along with the oldest operating eCrime group.
- They mainly target hospitality, retail sections, and POS devices of businesses in order to gain payment card data.
- Multiple amounts of malware took part in these campaigns, such as Sekur, RAT, BV Flash, Bateleur, and Harpy.
- As recently as 2020, this group has been hunting big for ransomware, using REvil and Darkside, both ransomware, to aid them.
- The credit card data stolen from the companies they target can be found on criminal forums, such as Joker’s Stash.
Targeted Nations:
- Bulgaria, Czech Republic, France, Germany, Ireland, Kuwait, Lebanon, Norway, Poland, Romania, Russian Federation, Spain, United Arab Emirates, United Kingdom, United States, and Yemen.
Attacks:
- Ransomware-as-a-service (Raas), was created in November 2020 as a connection program for Darkside.
- After shifting focus to companies using POS (Point of Sale) devices in 2020, there was an attack in April 2020 where indiscriminate operations were attempted to infect a large number of people through a broad spam campaign. This strategy used malicious links that installed backdoors.
- Multiple backdoor attacks have been created by Carbon Spider. The names are Harpy, Leo VBS, JSS Loader, Domenous VBS, and Domenous JS. They can capture screenshots and browser history. It can also download secondary payloads.
- Cabron Spider is responsible for certain REvil campaigns through JSS Loader or Domenus VBS/JS infections.
- July 2020 marked a phishing email called “Notification: Package Status Fail.”, disguising itself to be the U.S.-based UPS delivery company. The link downloaded malicious malware to use as backdoors.
- Carbon Spider shifted POS malware to BGH ransomware attacks, which created a broader trend of eCrime.
Group Name: Cobalt Spider
Source: CrowdStrike
Location: Unknown
Targeted Nations:
- Costa Rica, Europe, Georgia, Germany, Greece, Kazakhstan, Kuwait, Latvia, Malaysia, Panama, Qatar, Russian Federation, Taiwan, Turkey, and the United States.
About:
- Cobalt Spider is a criminal group that is financially motivated and has been active since 2016.
- Other names of this adversary include Cobalt, Cobalt Gang, and GOLD KINGSWOOD.
- They are responsible for attacks against financial institutions from multiple regions. They have focused on Russia and the CIS since 2019, but they have shifted to other financial institutions in Europe, the Middle East, and Africa.
- This adversary utilizes spear phishing attacks that impersonate financial institutions. This is done to deliver malware to an unsuspecting victim.
- One of the alleged leaders was arrested in 2018 in Spain, but the group appears to still be active.
Attacks:
- ATM, card processing, payment, and SWIFT systems have all been intruded on by Cobalt Spider.
- SpicyOmelette malware used in the initial phases of an attack was used by Cobalt Spider to target financial institutions from around the world. It is a sophisticated JavaScript remote, which gives the attackers remote access to an infected system.
- Machine information that can be collected includes IP addresses, system names, and software application lists. They can install additional malware payloads.
- The cobalt group has no intentions of stopping, as they are prepared to evolve the toolsets and use their understanding of financial systems to continue the threats.
Group Name: Cozy Bear
Source: CrowdStrike
Location: Russia/Russian Federation
Targeted Nations:
- Austria, Brazil, China, France, Germany, Hungary, Japan, Mexico, Netherlands, New Zealand, Norway, Portugal, South Korea, Spain, Turkey, Ukraine, United Kingdom, United States, and Uzbekistan.
About:
- Cozy Bear also goes by APT29, TYYRIUM, CozyCarm CozyDuke, TheDukes, and IRON HEMLOCK.
- They are an adversary from Russia and could be acting on behalf of the Foreign Intelligence Service of the Russian Federation.
- This group focuses on a large amount of spear phishing campaigns to unleash malware types. This is most likely an effort to collect the requirements of Russian operational directorates.
- APT29 is extremely focused and dedicated to specific targets and creates multiple attempts to re-acquire and gain access to networks they once lost control of.
Attacks:
- In March 2014, a private research institute in Washington D.C was found to have a CozyDude (Trojan.Cozer) on their network. An email was soon sent out by the hacker group to trick office workers to click on a flash video of office monkeys, which also included a malicious executable. This allowed them to snatch compromised government networks.
- In August 2015, Cozy Bear was linked to a spear phishing attack against the Pentagon (The U.S Department of Defense) email system. This caused an entire shutdown of the Joint Staff’s unclassified email system and internet access during the investigation.
- Multiple U.S-based think tanks and non-governmental organizations were targeted by the adversary in many spear phishing attacks after the 2016 United States presidential election.
- In July 2020, the NSA (National Security Agency), NCSC (National Cyber Security Center), and CSE (Communications Security Establishment) accused Cozy Bear of trying to steal data on vaccines and treatments for COVID-19 that were being developed in the UK, US, and Canada.
- August 24, 2022, marked when Microsoft revealed a customer was compromised by a Cozy Bear attack. It had a very high resilience on an Active Directory Federated Services server. The attack was dubbed “MagicWeb”, which manipulates the user authentication certificates used for authentication.
Group Name: Deadeye Jackal
Source: CrowdStrike
Location: Middle East / Syrian Arab Republic
Targeted Nations:
- Cyprus, Sweden, Syrian Arab Republic, Turkey, United Kingdom, United States
About:
- Recognized as the Syrian Electronic Army, due to its nationalistic nature to Syria.
- It has engaged in malicious activities such as website defacements, spear phishing, distributed denial of service attacks, data theft, and disclosure operations.
- CrowdStrike, a cybersecurity company, has managed to find that Deadeye Jackal has moved to a more secret offensive activity, due to the adversary having switched to using malware for the Android platform.
- In April 2011, days after the anti-regime protests continued in Syria, the SEA (Syrian Electronic Army) spoke on Facebook to support the government’s Syrian President Bashar Al-Assad.
Attacks:
- Some tools of the Deadeye Jackal group include: AndoServer, SandroRAT, SilverHawk, SLRat, and SpyNote RAT.
- On April 23, 2013, the adversary took over a Twitter account of the AP (Associated Press) and submitted a message stating the White House was attacked, along with stating President Obama was injured. The White House released a statement minutes later that corrected the statement.
- Multiple communication technology companies and third-party service providers were hit in July 2013 by attacks. There were multiple cases of data exfiltration and disruption of social media and web properties. It’s believed that some were selected because Syrian oppositional groups were using those platforms.
- Most of these first attacks were against Truecaller, a global telephone directory, that incorporated crowdsourcing to aggregate data about telephone numbers and who they were associated with.
- Deadeye Jackal also exfiltrated data from the network TangoME, a voice and messaging communication platform. In late July, it hit another message company called Viper. It is believed that these companies were hit because Syrian opposition groups were using it to coordinate protests and attacks.
Group Name: Doppel Spider
Source: CrowdStrike
Location: Eastern Europe / Russian Federation
Targeted Nations:
- Austria, Canada, Chile, China, France, Germany, Italy, Japan, Mexico, Qatar, Saudi Arabia, South Africa, Spain, Sweden, Switzerland, United Arab Emirates, United Kingdom, and the United States.
About:
- There are no other identifiers or other names for this adversary.
- This is a criminal group that has been working since April 2019. They have created the malware families DoppelDridex and DoppelPaymer.
- There is a certainty that Doppel Spider and Indrik Spider are now using forked malware code, which is to run Big Game Hunting operations.
Attacks:
- DoppelPaymer (a malware founded by Doppel Spider) is known to be an evolution of “BitPaymer Ransomware”. This ransomware is known to be an enterprise-targeting type, based on the history of the attacks.
- The first known attack was in June 2019 and it has some interesting qualities, such as the ability to terminate processes and services that may interfere with file encryption using the technique ProcessHacker.
- The DoppelPaymer malware can be found not only as a Dridex Trojan (a type of trojan malware) but as an insecure RDP configuration, email spam and malicious attachments, deceptive downloads, botnets, exploits, malicious advertisements, web injects, fake updates, and infected installers.
Group Name: Fancy Bear
Source: CrowdStrike
Location: Russia / Russian Federation
Targeted Nations:
- Armenia, Azerbaijan, Belarus, Belgium, Brazil, Bulgaria, Canada, China, Croatia, France, Georgia, Germany, Hungary, India, Iran, Japan, Kazakhstan, Latvia, Malaysia, Montenegro, Netherlands, Poland, Romania, Slovakia, South Korea, Spain, Sweden, Switzerland, United Kingdom, United States, Uzbekistan, and Western Europe.
About:
- Also known as APT28, STRONTIUM, Sofacy, Zebrocy, Sednit, Pawn Storm, TG-4127, Tsar-Team, Iron Twilight, Swallowtail, SNAKEMACKEREL, and Frozen Lake.
- This is a Russia-based adversary. It carries out targeted intrusion operations. The main targets are the North Atlantic Treaty Organization (NATO), any member states, and Eastern European countries with NATO memberships.
- This adversary uses multiple malware families such as Sofacy, WinIDS, X-Agent, and DownRage.
- They also compromise email accounts of targeted organizations using tactics like password spraying.
Attacks:
- In December 2014, Fancy Bear appeared to be responsible for a six-month-long cyber attack on the German parliament. The attack completely froze Bundestag’s IT infrastructure in May 2015. To fight the situation, the entire German parliament had to be taken offline for a few days. A total of 16 gigabytes of data was stolen from them as part of the attack. There was another attack in August 2016 with a spear phishing attack against members of the Bundestag and political parties. It was feared that important information would be gathered by hackers to manipulate elections.
- On February 10, 2015, five wives of the U.S. military personnel received death threats from a hacker group that called itself “CyberCaliphate” and claimed to be an Islamic State affiliate. This was later discovered to be a false flag attack and the victim’s emails were found in Fancy Bear’s target list. It was an attempt to threaten the potential Islamic State terror attacks on the U.S. to create fear and political tension.
- In May 2015, the Security Firm root9B created a report on Fancy Bear, discovering targeted spear phishing attacks aimed at financial institutions such as the United Bank for Africa, Bank of America, TD Bank, and UAE Bank.
- From 2014 to the present time, Fancy Bear used Android malware to target the Ukrainian Army’s Rocket Forces and Artillery. They distributed an infected version of an Android app to gain targeting data for the D-30 Howitzer artillery. The app was used by Ukrainian officers and was packed with X-Agent spyware. There is a claim stating more than 15-20 percent of D-30 Howitzers were destroyed in the war.
- In October 2016, Google’s Threat Analysis Group found a zero-day vulnerability in most Microsoft Windows versions. On November 1, 2016, Microsoft Executive Vice President of the Windows and Devices Group Terry Myerson posted to Microsoft’s Threat Research & Response Blog about how they knew about the vulnerability. Adobe Flash was affected by the zero-day vulnerability, especially by users who had utilized it.
Group Name: Hammer Panda
Source: CrowdStrike
Location: China
Targeted Nations:
- India, the Russian Federation, the United States, and Uzbekistan.
About:
- Also known as Temp.Zhenbao, this adversary operates in the interests of the Chinese state.
- It has focused on Russia and South Asia in the past with a unique focus on government and defense sectors.
- Hammer Panda focuses on attack chains to decoy documents, which are attached to spear-phishing emails.
Attacks:
- In May 2022, FortiGuard Labs researchers detected a campaign by a Chinese advanced persistent threat, APT, hacking group. They say the group has been active for the past decade and targeted government, defense, healthcare, telecom, and financial organizations for data theft and surveillance.
- Due to the rising border tensions between India and China, there has been a concerted campaign against India’s critical infrastructure, including power grids from Chinese state-sponsored groups. The attacks, which coincided with the standoff, took place in May 2020. There were a total of 12 firms that were targeted, 10 of them being in the power generation and transmission sectors. The victims included a power plant run by National Thermal Power Corporation, NTPC, Limited, and New Delhi-based Power System Operation Corporation.
Group Name: Labyrinth Chollima
Source: CrowdStrike
Location: North Korea
Targeted Nations:
- Argentina, Australia, Belgium, Brazil, Canada, China, Denmark, Norway, Estonia, Germany, Hungary, India, Ireland, Israel, Italy, Japan, Netherlands, New Zealand, Poland, Russian Federation, Saudi Arabia, Singapore, South Korea, Spain, Sweden, Turkey, Ukraine, United Kingdom, United States, and Western Europe.
About:
- Also known as HIDDEN COBRA, BeagleBoyz, Lazarus Group, APT-C-26, Zinc, and Black Artemis.
- The largest Democratic People’s Republic of Korea adversary. They have been active since 2009.
- They have been focused on collecting political, military, and economic intelligence on North Korea’s adversaries.
- Labyrinth Chollima is known to have two units called BlueNorOff and AndAriel. BlueNorOff is responsible for the illegal transfers of money through forging orders from the Society for Worldwide Interbank Financial Telecommunication, SWIFT, while AndAriel is known for targeting South Korea. AndAriel is also known as Silent Chollima, which is categorized as an adversary.
Attacks:
- In March 2011, the attack known as “Ten Days of Rain” where Lazarus Group targeted South Korea’s media, financial, and critical infrastructure. It held plenty of DDoS attacks from compromised computers within South Korea. DarkSeoul, a wiper attack that targeted three South Korean broadcast companies, financial institutes, and an ISP kept the attacks going until March 20, 2013.
- On November 24, 2014, a Reddit post stated that Sony Pictures had been hacked. Large amounts of data were stolen and slowly leaked after the attack. The perpetrators titled themselves the “Guardians of Peace”. There was an interview with an anonymous individual who claimed to be part of the group. They stated the group has been stealing Sony’s data for over a year now, such as unreleased films, emails, and the personal information of around 4,000 employees.
- The WannaCry ransomware attack took place in May 2017 and was a massive ransomware cyberattack that hit multiple places around the world. It reached the NHS in Britain, Boeing, and universities in China. The attack lasted 7 hours and 19 minutes and affected nearly 200,000 computers in 150 countries, mainly Russia, India, Ukraine, and Taiwan. This was the first attack to travel by crypto worm, which is a form of computer virus that can travel between computers using networks by exploiting TCP port 445. Since there was an easy kill switch and not much was collected by ransom, it is expected that this entire attack was just to cause chaos.
Group Name: Mythic Leopard
Source: CrowdStrike
Location: Pakistan
Targeted Nations:
- India, Pakistan, the United States, and the United Kingdom
About:
- Also known as Transparent Tribe, C-Major, APT36, ProjectM, and COPPER FIELDSTONE, they are a targeted intrusion adversary that takes strategic intelligence requirements of the Pakistani state.
- They have a history of using multiple custom malware families against Windows and Android operating systems. However, the primary target is government, military, and defense-related entities in India.
Attacks:
- Operation “Transparent Tribe”- An attack in 2012 hit both officials at the Indian embassies in Saudi Arabia and Kazakhstan. The emails contained malware attachments and were sent from an IP address of Cantabo, a hosting service provider.
- SmeshApp Attack- in 2016 the Indian television channel CNN-IBN was looted by Pakistani authorities as they collected data on Indian troop movements by using an Android app called SmeshApp.
- Operation “C-Major”- This phishing campaign was organized by Mythic Leopard in 2016, and targeted Indian military officials through Adobe Reader vulnerabilities. 2017 followed up with another hacking campaign that impersonated the Indian think tank Institute for Defense Studies and Analysis, IDSA. They sent out spear-phishing emails to target the Central Bureau of Investigation (CBI) officials. 2019 marked an evolution for Mythic Leopard, as they accelerated activities and created new tools. This time they focused on Afghanistan. The year 2020 marked a new campaign of their new C2 server and their new module named USBWorm, along with their .NET tool called CrimsonRAT.
- Operation “Honey Trap”- Mythic Leopard carried out targeted attacks on defense organizations in India, ObliqueRAT was back with new campaigns by using compromised websites, and the adversary was now using new malware to target Indian government officials.
Group Name: Ocean Buffalo
Source: CrowdStrike
Location: Vietnam
Targeted Nations:
- Cambodia, China, Germany, the Philippines, the United States, and Vietnam.
About:
- Starting in 2012, Ocean Buffalo has been active as a Vietnam-based targeted intrusion adversary. They are also known as OceanLotus, SeaLotus, APT32, and TIN WOODLAWN.
- They use a wide range of tactics, techniques, and procedures to collect information that are seen as threats to the Vietnamese government. There is a possibility of economic and geopolitical espionage objectives for this adversary.
- There was a report in December 2020 that linked Ocean Buffalo’s activity to a private Vietnamese IT company.
Attacks:
- In 2020, Bloomberg, a private company for financial data, news, and insight, reported that OceanLotus targeted China’s Ministry of Emergency Management and the Wuhan municipal government to obtain information about the COVID-19 pandemic.
- In 2020, there was another report, this time from Kaspersky researchers that Ocean Buffalo has been distributing malware in the Google Play Store.
- In November 2020, Volexity researchers found that Ocean Buffalo has also been setting up fake websites and Facebook pages to engage in web profiling and distribute malware.
- Amnesty International reported in February 2021 that OceanLotus launched a number of spyware attacks against Vietnamese human rights activists, including Bui Thanh Hieu, a human activist blogger. The Amnesty Tech’s Security Lab found evidence in phishing emails sent to two very large Vietnamese human rights defenders.
Group Name: Pinchy Spider
Source: CrowdStrike
Location: Eastern Europe / Russian Federation
Targeted Nations:
- Argentina, Australia, Belgium, Brazil, Canada, Chile, China, Europe, France, Germany, Hong Kong, Indonesia, Italy, Jamaica, Japan, Luxembourg, Mexico, Norway, Singapore, Slovenia, South Africa, South Korea, Spain, Sweden, Switzerland, Trinidad And Tobago, United Aarab Emirates, United Kingdom, and the United States.
About:
- This adversary is also known as GandCrab, REvil, Sodinokibi, GOLD GARDEN, and GOLD SOUTHFIELD.
- They are a criminal group that is behind the development and operation of some ransomware. GrandCrab was created between January 2018 and April 2019 while REvil was from April 2019. GrandCrab version 5.2 was released in February 2019, which is immune to decryption tools that were used on it before the update.
- Pinchy Spider sells their ransomware access to partnership programs with a limited number of accounts, which is also known as Ransomware-as-a-Service (Raas).
- They are also a dedicated leak site (DLS) to post data stolen from REvil to earn ransom payments.
- Pinchy Sider is taking part in a targeted, low-volume but high-return ransomware deployment called “big game hunting”, which is the latest trend for criminal adversaries.
Attacks:
- In May 2020, Pinchy Spider stole nearly one terabyte of information from the law firm Grubman Shire Meiselas & Snacks. They demanded ransom to not publish the stolen information.
- On March 18, 2021, there was a claim announcing that data was downloaded from Acer, the multinational hardware and electronics corporation. Not only was ransomware also installed, but it can be linked to the 2021 Microsoft Exchange Server data breach. A 100 thousand U.S. dollar ransom was posted for the stolen data and was threatened to be deleted if not paid by March 28, 2021.
- On March 27, 2021, REvil successfully attacked Harris Federation and published financial documents to the adversary’s blog. IT systems were shut down for a few weeks and it affected up to 37,000 students.
- On July 2, 2021, Kaseya desktop and management software used by Pinchy Spider allowed them to drop hundreds of managed service providers into their system. The adversary demanded 70 million U.S. dollars to restore the encrypted data. The Swedish Coop grocery store chain was forced to close 800 stores for a few days as a consequence.
Group Name: Remix Kitten
Source: CrowdStrike
Location: Iran
Targeted Nations:
- Canada, Iran, Israel, Jordan, Kuwait, Saudi Arabia, Turkey, and the United Arab Emirates.
About:
- Also known as Chafer, Cadelle, APT39, and ITG07, this is an Iran-nexus adversary.
- They conduct targeted instructions with the Iranian government’s counterintelligence priorities.
- These targeted organizations are focused on travel and hospitality sectors, especially areas that hold multiple amounts of personal information.
- Remix Kitten was leaked between 2018 and 2019 that exposed sensitive parts of its operations.
Attacks:
- In 2013, Cybersecurity firm FireEye released a report that Rocket Kitten had created several cyberespionage operations against the U.S. defense industrial base companies. The operation was called Saffron Rose, and it targeted Iranian citizens who used anti-censorship tools to bypass Iran’s internet filters.
- In November 2015, the firm Check Point was able to access Rocket Kitten’s “Oyun”, the hacker’s database. They found an application that was able to generate personal phishing pages and found a list of over 1,842 targets. Of the spearfishing targets, 18% were from Saudi Arabia, 17% United States, 16% Iran, 8% Netherlands, and 5% were from Israel. Check Point was also able to find an individual named Yaser Balaghi, who went by Wool3n.H4t and was the ringleader of the operation.
- In August 2016, Rocket Kitten took part in another hack against Telegram, a cloud-based instant messaging service. They exploded Telegram’s reliance on SMS verification and compromised over a dozen accounts. They also stole the user IDs and telephone numbers of 15 million Iranians who used the software, mainly opposition organizations and reformist political activists.
Group Name: Ricochet Chollima
Source: CrowdStrike
Location: North Korea
Targeted Nations:
- Hong Kong, North Korea, Russian Federation, South Korea, United States, Saudi Arabia, Turkey, United Arab Emirates, and Vietnam.
About:
- Also known as ScarCruft, APT37, Group123, Reaper, and Red Eyes.
- They are a Democratic People’s Republic of Korea-nexus targeted intrusion adversary.
- This adversary focuses on and has been involved in espionage operations since 2016, or what is known. They have also exclusively targeted the Republic of Korea with a focus on government officials, non-governmental organizations, academics, journalists, and North Korean defectors.
Attacks:
- Ricochet Chollima is usually known as the “most overlooked North Korean threat actor”. They have been active since 2012. Starting in 2017, they have been more active and have expanded their targeting. Some of these targets include manufacturing, electronics, healthcare, and automotive industries.
- Their malware is a Remote Access Trojan (RAT) also known as Konni to create persistence and perform host privilege escalation within branched systems. According to the latest campaign, spreading Konni RAT malware through an email phishing scam has been mainly targeted in Czechia and Poland.
- The malicious attachment is an archive containing a Word doc. (missle.docx) and a Windows shortcut file (_weapons.doc.Ink.Ink). Once it is opened, the infection chain starts. Then the adversary collects the information, takes screenshots, steals files, and establishes a remote interactive shell.
Group Name: Silent Chollima
Source: CrowdStrike
Location: North Korea
Targeted Nations:
- Brazil, Canada, China, Germany, India, Israel, Japan, Norway, Philippines, Romania, Russian Federation, South Korea, Sweden, United States, and Vietnam.
About:
- Some other names include Andariel and Component of Lazarus Group.
- This group has been active since 2009 and is a Democratic People’s Republic of Korea-nexus adversary.
- They used to focus on destructive and espionage activities but their mission changed in 2015.
- They have recently made more efforts to collect intelligence on government and military entities, along with economic espionage on targeted privately owned companies, especially ones that focus on processing tech that could help the DPRK in developing the economy.
Attacks:
- On July 4, 2009, there was a massive DDoS attack on over thirty websites in the U.S. and South Korea, including the White House, Pentagon, and major e-commerce and financial services companies. Silent Chollima then deployed a wiper malware in South Korea, causing a large-scale data deletion and temporary incapacitation. Silent Chomilla has been using the same data destructive attacks against South Korean businesses and government organizations for the past few years.
- In early 2021, The group used an ActiveX zero-day exploit for watering hole attacks on South Koren websites. They call this “Operation GoldenAxe”. More recently that year, Silent Chollima injected their script into four other compromised South Korean websites for reconnaissance purposes.
- Reconnaissance is the stage where attackers collect information from potential targets to help determine what tactics will work. The Silent Chollima gives an idea of their plans through this tactic.
Group Name: Stardust Chollima
Source: CrowdStrike
Location: North Korea
Targeted Nations:
- Bangladesh, Belarus, Brazil, Chile, China, Costa Rica, Ecuador, Guatemala, Hong Kong, India, Japan, Kuwait, Liberia, Mexico, Nigeria, Peru, Philippines, Poland, South Africa, Spain, Taiwan, Tunisia, United Kingdom, United States, Uruguay, Venezuela, and Vietnam.
About:
- Some other names are APT38, Lazarus Group, Bluenoroff, HIDDEN COBRA, BeagleBoyz, CageyChameleon, Leery Turtle, CryptoCore, CryptoMimic, and Dangerous Password
- Is another Democratic People’s Republic of Korea-nexus adversary and the most commonly affiliated with large-scale currency operations.
- Their main goal seems to be currency theft, but they also focus on espionage-motivated operations. These missions have created cash-outs with hundreds of millions of stolen U.S. dollars. This could be the major source of funding for the DPRK state.
Attacks:
- This is the largest group as it operates directly under the highest authority of the RGB and has access to most resources. It is a subordinate to the 110th Research Center under the 3rd Bureau, or 3rd Technical Surveillance Bureau, of the RGB. That Bureau is responsible for overseeing North Korea’s entire cyber operations.
- According to the joint security advisory issued by the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency (CISA), and US Treasury Department, Stardust Chollima has been targeting a variety of organizations in the blockchain technology and cryptocurrency industry. They include tactics such as social engineering and spear phishing on victims to download trojan cryptocurrency applications. Either on the Windows or macOS operating systems.
- Lazarus and a group called AppleJeus created trojan-infected cryptocurrency applications targeting individual companies, including cryptocurrency exchanges and financial services companies.
- The U.S. Treasury Department claimed Lazarus was connected to a $625 million cryptocurrency theft from the Ronin bridge linked to a game called Axie Infinity, a popular play-to-earn game. The U.S. has also observed them targeting cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn crypto games, crypto trading companies, valuable non-fungible tokens (NTF), and other crypto businesses.
Group Name: Twisted Spider
Source: CrowdStrike
Location: Unknown
Targeted Nations:
- Algeria, Argentina, Australia, Austria, Belgium, Brazil, Canada, China, Colombia, Costa Rica, Czech Republic, Denmark, Egypt, France, Germany, Hong Kong, India, Italy, Japan, Kenya, Luxembourg, Macedonia, Netherlands, Nigeria, Norway, Oman, Puerto Rico, Saudi Arabia, Singapore, South Africa, South Korea, Spain, Sri Lanka, Switzerland, Thailand, United Arab Emirates, United Kingdom, United States, and Vietnam.
About:
- Also known as Maze Team, they are a criminal cyber group behind the ransomware projects Maze and Egregor.
- Maze ransomware ran from May 2019 to November 2020 while Egregor went from September 2020. No more recent activity has been found for that ransomware since February 2021.
- The ransomware Maze is known to be distributed through Exploit Kits (EK), spam campaigns, and Remote Desktop Protocol (RDP) credentials to gain access.
- The ransomware Egregor gained access through QakBot, a banking trojan (which was created by Mallard Spider), targeting external Virtual Private Networks (VPN) and Remote Desktop Protocol (RDP) services.
Attacks:
- From May 2019 to November 2020, Twister Spider used Maze ransomware. They transferred to Egregor ransomware from September 2020 to the present day. These two campaigns used their own malware and infrastructure, separate from each other.
- Maze team has a method for their attacks, which is to infect networks by encrypting every device it comes into contact with. The data is then stolen and placed on their own servers. A ransom is then placed on the data, with a threat to publicize the stolen data.
- On Thursday, March 26, Chubb, an insurance company, investigated a security incident from Twisted Spider, as they breached data belonging to a third party. From what is known, some of the stolen data includes three senior executives’ names and email addresses, including the CEO.
- On April 1, 2020, the Algerian joint US-subsidiary oil firm, otherwise known as Berkine, was next in line for an attack. Twisted Spider was able to steal the entire database, more than 500MB of private information. Some of that information included financial, strategic, and production data. Some of that data was leaked, which included the 2020 goals, cost per barrel, budgets, and employee information.
Group Name: Venomous Bear
Source: CrowdStrike
Location: Russia / Russian Federation
Targeted Nations:
- Afghanistan, Argentina, Austria, Belarus, Belgium, Brazil, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Georgia, Germany, Hungary, India, Iraq, Italy, Jordan, Kazakhstan, Kuwait, Latvia, Lithuania, Moldova, Montenegro, Netherlands, Poland, Qatar, Romania, Russian Federation, Saudi Arabia, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom, United States, and Uzbekistan
About:
- Also known as Turla, KRYPTON, Uroboros, Snake, Waterbug, and IRON HUNTER, they focus on novel and sophisticated techniques to maintain security.
- They are a Russia-nexus adversary that uses distinctive command-and-control networks that are highly likely to be supported by Signals Intelligence assets.
- All of their operations are highly motivated. They are an espionage-focused adversary that aims to obtain diplomatic intelligence. They most likely perform this to report to different levels of the Russian government.
Attacks:
- Most of the tools used by Venomous Bear include Gaxer, KopiLuwak, ICEDCOFFEE, Carbon backdoor, and LightNeuron backdoor.
- This adversary targeted the US Central Command in 2008, A former Soviet Union member in 2012, Swiss technology company RUAG in 2014, and G20 attendees in April 2017. The G20 attendees included politicians, policymakers, and journalists.
- Germany’s government computer network, the Federal Foreign Office, and the Federal College of Public Administration were also attacked in March 2018.
- The first sighting of this adversary involved a RAT (Remote Access Trojan) named Reductor. This allowed them to take full control of systems and make modifications to browser configurations.
- In October 2018, the adversary was seen using Iranian cyber-espionage and pretending to be attackers from the Islamic Republic. They used tools from the Iranian APT known as Helix Kitten and attacked over 20 different countries over 18 months. Instead of working together, Venomous Bear infiltrated Helix Kitten to access code to build their own tools.
Group Name: Viceroy Tiger
Source: CrowdStrike
Location: India
Targeted Nations:
- Afghanistan, Australia, Canada, China, India, Iran, Norway, Oman, Pakistan, Russian Federation, Saudi Arabia, Singapore, Taiwan, Turkey, United Arab Emirates, United Kingdom, and the United States.
About:
- Also known as Operation Hangover, Appin, APT-C-35, and Donot, they have a heavy focus on targeting Pakistan, China, and other countries in the South Asia region.
- They are an adversary with a nexus to India, where they actively target entities in a range of geographies and sectors.
- In 2013, an industry reported that a link was spotted between this adversary and an India-based tech security company. Since then, operations have continued, mainly with the use of custom malware families.
Attacks:
- In 2015, Velocity Tiger focused on entities in Pakistan, mainly ones focused on government and security. They aim towards spear phishing emails containing malicious Microsoft Office documents.
- This adversary’s methods target the Android mobile platform and are designed to gather user credentials.
- In March 2017, there was a sample of targeted attacks found by the 360 Chasing Team. The name of the attack organization was APT-C35 and exposed the gang’s attacks against Pakistan, along with the EHDevel malicious code they worked on.
- Velocity Tiger has also updated its Jaca Windows malware toolkit, including new modules designed to gather information from Google Chrome and Mozilla Firefox browsers.
Group Name: Wicked Panda
Source: CrowdStrike
Location: China
Targeted Nations:
- Germany, Hong Kong, India, Japan, South Korea, Taiwan, and the United States.
About:
- Some other names include Winnti, Group 72, BARIUM, LEAD, GREF, APT41, TG-2633, and BRONZE ATLAS.
- They have been the most effective and problematic China-based adversaries. They have been active from the mid-2010s and into the 2020s.
- This group has been busy expanding to other targets and their toolsets, while also shifting from a criminal-focused group to state-sponsored target intrusions. These are often aligned with the Chinese Communist Party.
Attacks:
- In early 2018, Wicked Panda accessed Bayer’s network, a German chemical giant company. The group used Winni malware, which was also spotted in other smaller German companies. However, Bayer exclaims there is no evidence of data theft.
- Wicked Panda also targeted a German tech group called ThyssenKrupp in 2016. This caused a major theft of technical trade secrets from steel production and manufacturing plant design divisions.
- Winni malware, (Backdoor.Win32(Win64).Winni by Kaspersky), made its appearance around 2011. It allows remote code execution and can compromise entire networks of companies. This threat has made appearances in companies like ESTsoft Corp, Rosso Index KK, and MGAME Corp.
Group Name: Wizard Spider
Source: CrowdStrike
Location: Eastern Europe / Russian Federation
Targeted Nations:
- Australia, Belgium, Canada, Dominican Republic, Europe, France, Germany, Italy, Japan, Mexico, Netherlands, New Zealand, Norway, Singapore, Spain, Switzerland, Taiwan, United Kingdom, and the United States.
About:
- Also known as TrickBot, TrickLoader, TheTrick, TotBrick, Ryuk, UNC1878, Anchor, DNS, Conti, BazarLoader, and Kegtap.
- They are a criminal group behind the core development and distribution of a multitude of sophisticated amounts of criminal tools. These tools allow them to run many different types of operations.
- They have been active since 2016 and some of their tools include: TrickBot, Ryuk, Conti, and BazarLoader.
- Wizard Spider’s malware is not openly advertised on criminal forums. They sell their products or work alongside only selected criminal groups.
Attacks:
- This group focuses on using large amounts of spam to trick victims into downloading malware. They use Qbot, SystemBC, and their own written malware.
- This group has been targeted by Europol (European Union Agency for Law Enforcement Cooperation), Interpol (International Criminal Police Organization), FBI, and National Crime Agency in the U.K for their crimes.
- The software used is programmed to uninstall itself if it detects the victim’s system uses the Russian Language or if it holds an IP address in the former Soviet Union, as they do not attack Russia. They also do not travel outside the country for fear of being arrested.
- Wizard Spider attacked the HSE (Health Service Executive) in Ireland and stole over 700GB of personal information such as addresses, phone numbers, payroll information, employment contracts, medical records, and information on the doctors and nurses. The criminal group held the information for the ransom of up to 20 million Euros (20,639,300.00 US dollars).
- Since 2018, Wizard spider has been carrying out ransomware attacks against state bodies, corporations, and healthcare facilities. They also switched from Ryuk to the Contro ransomware system at this time to continue their attacks.
Works Cited:
- Abrams, Lawrence. “Ransomware Adopts Doppelpaymer Name given by Researchers.” BleepingComputer, BleepingComputer, 5 Sept. 2019, https://www.bleepingcomputer.com/news/security/ransomware-adopts-doppelpaymer-name-given-by-researchers/.
- Cimpanu, Catalin. “US Treasury Sanctions Three North Korean Hacking Groups.” ZDNET, 13 Sept. 2019, https://www.zdnet.com/article/us-treasury-sanctions-three-north-korean-hacking-groups/.
- Clarabkelly, Clara. “Who Is Wizard Spider? the Group Responsible for the Cyber Attack on the HSE.” JOE.ie, JOE, 18 May 2021, https://www.joe.ie/news/wizard-spider-group-responsible-cyber-attack-hse-722246.
- Editorial Team. “Fancy Bear Hackers (APT28): Targets & Methods: CrowdStrike.” Crowdstrike Blog, Crowdstrike , 12 Feb. 2019, https://www.crowdstrike.com/blog/who-is-fancy-bear/.
- Feeley, Brendon, et al. “Pinchy Spider Adopts ‘Big Game Hunting’ to Distribute GandCrab.” Crowdstrike Blog, Crowdstrike, 6 Mar. 2019, https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/.
- FIS, Alex Kingston CEH. “#4 Deadeye Jackal – Syrian Electronic Army, Syria Malware Team, ATK 196, TAG-CT2.” LinkedIn, 31 May 2021, https://www.linkedin.com/pulse/4-deadeye-jackal-syrian-electronic-army-syria-malware-kingston/.
- FKIE, Fraunhofer. “VICEROY TIGER.” Viceroy Tiger (Threat Actor), 2023, https://malpedia.caad.fkie.fraunhofer.de/actor/viceroy_tiger.
- Gatlan, Sergiu. “Microsoft: Lazarus Hackers Are Weaponizing Open-Source Software.” BleepingComputer, BleepingComputer, 29 Sept. 2022, https://www.bleepingcomputer.com/news/security/microsoft-lazarus-hackers-are-weaponizing-open-source-software/.
- Hameed, Mansoor. “Hacker Group Deep Panda That Hit Several Global Firms Is Back.” The Siasat Daily, 3 Apr. 2022, https://www.siasat.com/hacker-group-deep-panda-that-hit-several-global-firms-is-back-2301798/.
- Ikeda, Scott. “Maze Ransomware Group, Infamous for Adding Doxxing Threats to Attacks, Announces It Is Shutting down Its Cyber Crime Operation.” CPO Magazine, 13 Nov. 2020, https://www.cpomagazine.com/cyber-security/maze-ransomware-group-infamous-for-adding-doxxing-threats-to-attacks-announces-it-is-shutting-down-its-cyber-crime-operation/.
- Kiguolis, Linas. “Bayer Cyber Attack: Chinese Hackers Wicked Panda Used Winnti Malware.” Security and Spyware News, 2-Spyware.com, 6 Apr. 2019, https://www.2-spyware.com/bayer-cyber-attack-chinese-hackers-wicked-panda-used-winnti-malware.
- Kingston, Alex. “#6 Silent Chollima – Andariel, Component of Lazarus Group.” LinkedIn, 13 June 2021, https://www.linkedin.com/pulse/6-silent-chollima-andariel-component-lazarus-group-kingston/.
- Lakshmanan, Ravie. “Chinese ‘Twisted Panda’ Hackers Caught Spying on Russian Defense Institutes.” The Hacker News, 23 May 2022, https://thehackernews.com/2022/05/chinese-twisted-panda-hackers-caught.html.
- Lakshmanan, Ravie. “Donot Team Hackers Updated Its Malware Toolkit with Improved Capabilities.” The Hacker News, 19 Aug. 2022, https://thehackernews.com/2022/08/donot-team-hackers-updated-its-malware.html.
- Osborne, Charlie. “Cobalt Threat Group Serves up Spicyomelette in Fresh Bank Attacks.” ZDNET, 27 Sept. 2018, https://www.zdnet.com/article/cobalt-threat-group-serves-up-spicyomelette-in-bank-attacks/.
- Reynolds, Eric Loui – Josh. “Carbon Spider Embraces Big Game Hunting, Part 1: CrowdStrike.” Crowdstrike.com, 18 Mar. 2022, https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/.
- Stone, Jeff. “German Drug Giant Bayer Breached by Chinese Hacking Group Wicked Panda: Report.” CyberScoop, 4 Apr. 2019, https://cyberscoop.com/bayer-breached-china-wicked-panda/.
- Sur, Aihik. “Beware North Korean Hackers Targeting Crypto Firms, Says US.” MediaNama, 20 Apr. 2022, https://www.medianama.com/2022/04/223-north-korean-hackers-target-crypto-firms-advisory/.
- Unlisted. “Apts & Adversary Groups List – Malware & Ransomware.” Crowdstrike Adversary Universe, 2023, https://adversary.crowdstrike.com/en-US/.
- Unlisted. “Apts Tracked in October: Venomous Bear.” BlueVoyant, BlueVoyant, 16 Jan. 2020, https://www.bluevoyant.com/blog/apts-tracked-in-october-venomous-bear.
- Unlisted. “Bayer Hit by Cyberattack – Dw – 04/04/2019.” Dw.com, Deutsche Welle, 4 Apr. 2019, https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004.
- Unlisted. “Cozy Bear.” Wikipedia, Wikimedia Foundation, 30 Dec. 2022, https://en.wikipedia.org/wiki/Cozy_Bear.
- Unlisted. “Darkside (Hacker Group).” Wikipedia, Wikimedia Foundation, 6 Jan. 2023, https://en.wikipedia.org/wiki/DarkSide_(hacker_group).
- Unlisted. “Doppelpaymer Ransomware .” Proficio.com, https://www.proficio.com/doppelpaymer-ransomware/.
- Unlisted. “Everything You Need to Know about the APT, Fancy Bear.” Avertium, 19 July 2022, https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-the-apt-fancy-bear.
- Unlisted. “Fancy Bear.” Wikipedia, Wikimedia Foundation, 18 Jan. 2023, https://en.wikipedia.org/wiki/Fancy_Bear.
- Unlisted. “Fancy Bear and Venomous Bear: What’s the Difference between the Two Threat Groups?: Cyware Hacker News.” Cyware Hacker News, Cyware Social, 28 July 2019, https://cyware.com/news/fancy-bear-and-venomous-bear-whats-the-difference-between-the-two-threat-groups-430d9985.
- Unlisted. “Lazarus Group.” Wikipedia, Wikimedia Foundation, 11 Jan. 2023, https://en.wikipedia.org/wiki/Lazarus_Group.
- Unlisted. “Maze Ransomware Group Continues Attacks on Oil & Cyberinsurance Giants.” Virsec, Virsec Systems, https://www.virsec.com/blog/maze-ransomware-group-continues-attacks-striking-prominent-oil-cyberinsurance-giants.
- Unlisted. “Mythic Leopard APT Group.” BRANDEFENSE, 8 Dec. 2022, https://brandefense.io/blog/apt-groups/mythic-leopard-apt-group/.
- Unlisted. “Oceanlotus.” Wikipedia, Wikimedia Foundation, 2 June 2022, https://en.wikipedia.org/wiki/OceanLotus.
- Unlisted. “Ransom Mafia – Analysis of the World’s First Ransomware Cartel.” Analyst1 Analyst1, 4 Oct. 2022, https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel.
- Unlisted. “Revil.” Wikipedia, Wikimedia Foundation, 18 Jan. 2023, https://en.wikipedia.org/wiki/REvil.
- Unlisted. “Rocket Kitten.” Wikipedia, Wikimedia Foundation, 13 Feb. 2022, https://en.wikipedia.org/wiki/Rocket_Kitten.
- Unlisted. “Ricochet Chollima: North Korean State Sponsored Hacking Group .” Wikiwand, https://www.wikiwand.com/en/Ricochet_Chollima.
- Unlisted. “Syrian Electronic Army Escalated Tactics over 2013; Poised for More This Year.” Infosecurity Magazine, 24 Jan. 2014, https://www.infosecurity-magazine.com/news/syrian-electronic-army-escalated-tactics-over/.
- Unlisted. “Who Is Cozy Bear and How Can You Protect Yourself?” TeamPassword, 24 Aug. 2021, https://teampassword.com/blog/who-is-cozy-bear-and-how-can-you-protect-yourself.
- Unlisted. “Wizard Spider.” Wikipedia, Wikimedia Foundation, 21 Nov. 2022, https://en.wikipedia.org/wiki/Wizard_Spider.
- Unlisted. “Wizard Spider.” Wikipedia, Wikimedia Foundation, 21 Nov. 2022, https://en.wikipedia.org/wiki/Wizard_Spider.
- Vijayan, Jai. “India’s Cybercrime and APT Operations on the Rise.” Dark Reading, 23 Sept. 2020, https://www.darkreading.com/threat-intelligence/india-s-cybercrime-and-apt-operations-on-the-rise.
- Wang, Nelson. “US Government Warns of North Korean Crypto Attacks after Tying Nation to $625M Hack.” Yahoo!, Yahoo!, 18 Apr. 2022, https://www.yahoo.com/video/us-government-warns-north-korean-221749005.html?guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAABp6ZMzHqbIWxhoY9-epcjLTMFIFQJGLmkfHjV1ruRKXwtENwfN5A40uFggb_TGPqZRAjeKmUpj9Qn3JqPE5pWxosmWHNphq17_s4ShnbjrtWS2SeZ–81vkg15-gVt9Q2um1KNUORYLx4xQDsARs8cDDPc5Wk6DQhUTJ6_xA42_&guccounter=2.
- Yevdokimova, Anastasiia. “Apt37 Detection: North Korean Hackers Distribute Konni Rat, Target Orgs in Czechia and Poland.” SOC Prime, 27 July 2022, https://socprime.com/blog/apt37-detection-north-korean-hackers-distribute-konni-rat-target-orgs-in-czechia-and-poland/.