Groups

From enterprise
Jump to: navigation, search

Groups are sets of related intrusion activity that are tracked by a common name in the security community. Groups are also sometimes referred to as campaigns or intrusion sets. Some groups have multiple names associated with the same set of activities due to various organizations tracking the same set of activities by different names.

Groups are mapped to publicly reported technique use and referenced in the ATT&CK threat model. Groups are also mapped to reported software used during intrusions.

Group List

This is the list of publicly reported groups tracked in ATT&CK:

GroupAliasesDescription
APT1APT1
Comment Crew
Comment Group
Comment Panda
APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.Mandiant APT1
APT12APT12
IXESHE
DynCalc
Numbered Panda
APT12 is a threat group that has been attributed to China.Meyers Numbered Panda It is also known as DynCalc, IXESHE, and Numbered Panda.Moran 2014Meyers Numbered Panda
APT16APT16APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.FireEye EPS Awakens Part 2
APT17APT17
Deputy Dog
APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.FireEye APT17
APT18APT18
Threat Group-0416
TG-0416
Dynamite Panda
APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical.Dell Lateral Movement
APT28APT28
Sednit
Sofacy
Pawn Storm
Fancy Bear
STRONTIUM
Tsar Team
Threat Group-4127
TG-4127
APT28 is a threat group that has been attributed to the Russian government.FireEye APT28SecureWorks TG-4127FireEye APT28 January 2017GRIZZLY STEPPE JAR This group reportedly compromised the Democratic National Committee in April 2016.Crowdstrike DNC June 2016
APT29APT29
The Dukes
Cozy Bear
APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008.F-Secure The DukesGRIZZLY STEPPE JAR This group reportedly compromised the Democratic National Committee starting in the summer of 2015.Crowdstrike DNC June 2016
APT3APT3
Gothic Panda
Pirpi
UPS Team
Buckeye
Threat Group-0110
TG-0110
APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.FireEye Clandestine WolfRecorded Future APT3 May 2017 This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.FireEye Clandestine WolfFireEye Operation Double Tap As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.Symantec Buckeye
APT30APT30APT30 is a threat group suspected to be associated with the Chinese government.FireEye APT30 While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.Baumgartner Golovkin Naikon 2015
APT32APT32
OceanLotus Group
APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists. The group's operations are aligned with Vietnamese state interests.FireEye APT32 May 2017
AxiomAxiom
Group 72
Axiom is a cyber espionage group suspected to be associated with the Chinese government.Axiom It is responsible for the Operation SMN campaign.Axiom Though both this group and Winnti Group use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting.Kaspersky Winnti April 2013Kaspersky Winnti June 2015Novetta Winnti April 2015
CarbanakCarbanak
Anunak
Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak).Kaspersky Carbanak
CleaverCleaver
TG-2889
Threat Group 2889
Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver.Cylance Cleaver Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889).Dell Threat Group 2889
DarkhotelDarkhotelDarkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center Wi‑Fi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing.Kaspersky Darkhotel
Deep PandaDeep Panda
Shell Crew
WebMasters
KungFu Kittens
PinkPanther
Black Vine
Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications.Alperovitch 2014 The intrusion into healthcare company Anthem has been attributed to Deep Panda.ThreatConnect Anthem This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther.RSA Shell Crew Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion.Symantec Black Vine
DragonOKDragonOKDragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. Operation Quantum EntanglementSymbiotic APT Groups It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. New DragonOK
DragonflyDragonfly
Energetic Bear
Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems.Symantec Dragonfly
Dust StormDust StormDust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries.Cylance Dust Storm
EquationEquationEquation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives.Kaspersky Equation QA
FIN10FIN10FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations.FireEye FIN10 June 2017
FIN6FIN6FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.FireEye FIN6 April 2016
FIN7FIN7FIN7 is a financially motivated threat group that has primarily targeted the retail and hospitality sectors, often using point-of-sale malware. It is sometimes referred to as Carbanak Group, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately.FireEye FIN7 March 2017FireEye FIN7 April 2017
GCMANGCMANGCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.Securelist GCMAN
Gamaredon GroupGamaredon GroupGamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government.Palo Alto Gamaredon Feb 2017
Group5Group5Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack.Citizen Lab Group5
Ke3changKe3changKe3chang is a threat group attributed to actors operating out of China.Villeneuve et al 2014
Lazarus GroupLazarus Group
HIDDEN COBRA
Guardians of Peace
Lazarus Group is a threat group that has been attributed to the North Korean government.US-CERT HIDDEN COBRA June 2017 The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.Novetta Blockbuster
Lotus BlossomLotus Blossom
Spring Dragon
Lotus Blossom is threat group that has targeted government and military organizations in Southeast Asia.Lotus Blossom Jun 2015 It is also known as Spring Dragon.Spring Dragon Jun 2015
MONSOONMONSOON
Operation Hangover
MONSOON is the name of an espionage campaign that apparently started in December 2015 and was ongoing as of July 2016. It is believed that the actors behind MONSOON are the same actors behind Operation Hangover. While attribution is unclear, the campaign has targeted victims with military and political interests in the Indian Subcontinent.Forcepoint Monsoon Operation Hangover has been reported as being Indian in origin, and can be traced back to 2010.Operation Hangover May 2013
MoafeeMoafeeMoafee is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group DragonOK. .Haq 2014
MoleratsMolerats
Gaza cybergang
Operation Molerats
Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.DustySkyDustySky2
NaikonNaikonNaikon is a threat group that has focused on targets around the South China Sea.Baumgartner Naikon 2015 The group has been attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).CameraShy While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.Baumgartner Golovkin Naikon 2015
Night DragonNight DragonNight Dragon is a threat group that has conducted activity originating primarily in China.McAfee Night Dragon
OilRigOilRigOilRig is a threat group with suspected Iranian origins that has targeted Middle Eastern victims since at least 2015.Palo Alto OilRig April 2017ClearSky OilRig Jan 2017Palo Alto OilRig May 2016Palo Alto OilRig Oct 2016
PatchworkPatchwork
Dropping Elephant
Chinastrats
Patchwork is a threat group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Much of the code used by this group was copied and pasted from online forums.Cymmetria PatchworkSymantec Patchwork
PittyTigerPittyTigerPittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.Bizeul 2014Villeneuve 2014
Poseidon GroupPoseidon GroupPoseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.Kaspersky Poseidon Group
Putter PandaPutter Panda
APT2
MSUpdater
Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD).CrowdStrike Putter Panda
RTMRTMRTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM).ESET RTM Feb 2017
Sandworm TeamSandworm Team
Quedagh
Sandworm Team is a cyber espionage group that has operated since approximately 2009 and has been attributed to Russia.iSIGHT Sandworm 2014 This group is also known as Quedagh.F-Secure BlackEnergy 2014
Scarlet MimicScarlet MimicScarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.Scarlet Mimic Jan 2016
Stealth FalconStealth FalconStealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed.Citizen Lab Stealth Falcon May 2016
StriderStrider
ProjectSauron
Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.Symantec Strider BlogKaspersky ProjectSauron Blog
SuckflySuckflySuckfly is a China-based threat group that has been active since at least 2014.Symantec Suckfly March 2016
TaidoorTaidoorTaidoor is a threat group that has operated since at least 2009 and has primarily targeted the Taiwanese government.TrendMicro Taidoor
Threat Group-1314Threat Group-1314
TG-1314
Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure.Dell TG-1314
Threat Group-3390Threat Group-3390
TG-3390
Emissary Panda
BRONZE UNION
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.Dell TG-3390 The group has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors.SecureWorks BRONZE UNION June 2017
TurlaTurla
Waterbug
Turla is a threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies.Kaspersky Turla
Winnti GroupWinnti Group
Blackfly
Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Though both this group and Axiom use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting.Kaspersky Winnti April 2013Kaspersky Winnti June 2015Novetta Winnti April 2015
admin@338admin@338admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.FireEye admin@338
menuPassmenuPass
Stone Panda
APT10
Red Apollo
CVNX
menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university.Palo Alto menuPass Feb 2017Crowdstrike CrowdCast Oct 2013FireEye Poison IvyPWC Cloud Hopper April 2017FireEye APT10 April 2017