1. APT29
2. APT28
3. APT34
4. DRAGONFLY
5. ANIMALFARM
6. APT27
7. APT38
8. MUDDYWATER
9. COBALT GROUP
10. SILENT GROUP
11. KELVIN SECURITY
12. GAZA CYBERGANG
KAYNAKÇA
Ana Kaynaklar
· The
Cyber Threat HandBook, Thales – Verint
· https://www.fireeye.com/current-threats/apt-groups.html
· https://attack.mitre.org/groups/
APT29
· https://pylos.co/2018/11/18/cozybear-in-from-the-cold/
· https://securityaffairs.co/wordpress/78195/apt/apt29-malwareanalysis.html
APT34
· PaloAlto,
08/11/2017, OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan
· FireEye,
07/12/2017, New Targeted Attack in the Middle East by APT34, a Suspected
Iranian Threat Group, Using CVE-2017- 11882 Exploit
· PaloAlto,
11/12/2017, OilRig Performs Tests on the TwoFace Webshell
· PaloAlto,
25/01/2018, OilRig uses RGDoor IIS Backdoor on Targets in the Middle East
· PaloAlto,
23/02/2018, OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan
· Nyotron,
03/2018, OilRig is Back with Next-Generation Tools and Techniques
· DragoS,
17/05/2018, CHRYSENE
· PaloAlto,
25/07/2018, OilRig Targets Technology Service Provider and Government Agency
with QUADAGENT
· PaloAlto,
04/09/2018, OilRig targets a Middle Eastern Government and Adds Evasion
Techniques to OopsIE
· PaloAlto,
12/09/2018, OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government
· PaloAlto,
16/11/2018, Analyzing OilRig’s Ops Tempo from Testing to Weaponization to
Delivery
· CrowdStrike,
27/11/2018, Meet CrowdStrike’s Adversary of the Month for November: HELIX
KITTEN
· PaloAlto,
16/04/2019, DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling
· Talos,
23/04/2019, DNSpionage brings out the Karkoff
· PaloAlto,
30/04/2019, Behind the Scenes with OilRig
· Bleeping
Computer, 03/06/2019, New Email Hacking Tool from OilRig APT Group Leaked
Online
· Marco
Amilli, 06/06/2019, APT34: Jason project
· eutopian.io,
16/06/2019, APT34 Tools Leak
DRAGONFLY
· MITRE,
Dragonfly 2.0, https://attack.mitre.org/groups/G0074/
· 17/12/2010,
Symantec, Dream Loader: the new bot C&C engine of your dreams
· 07/07/2014,
Symantec, Dragonfly: Cyberespionage Attacks Against Energy Suppliers
· 27/10/2014,
Netresec, Full Disclosure of Havex Trojans
· 20/10/2017,
Symantec, Dragonfly: Western energy sector targeted by sophisticated attack
group
· 20/10/2017,
US-CERT, Alert (TA17-293A) Advanced Persistent Threat Activity Targeting Energy
and Other Critical Infrastructure Sectors
· 16/03/2018,
Cylance, Energetic DragonFly DYMALLOY Bear 2.0
· 04/04/2018,
NCSC, Hostile state actors compromising UK organisations with focus on
engineering and industrial control companies
· 11/07/2019,
Dell Secureworks. MCMD Malware Analysis
· 11/07/2019,
Dell Secureworks, Updated Karagany Malware Targets Energy Sector
· 24/07/2019,
Dell Secureworks, Resurgent Iron Liberty Targeting Energy Sector
ANIMALFARM
· Security
Affairs, 2017: https://securityaffairs.co/wordpress/62811/
malware/babar-2007-sample.html
· Infosec
Institute, 2015: https://resources.infosecinstitute.com/ animal-farm-apt-and-the-shadow-of-france-intelligence/#gref
· Security
Affairs, 2015: http://securityaffairs.co/wordpress/34462/
intelligence/babar-casper-french-intelligence.html
· Security
Affairs, 2015: http://securityaffairs.co/ordpress/38204/
cyber-crime/dino-malware-animal-farm.html
· ESET,
2015: https://www.welivesecurity.com/2015/03/05/caspermalware-
babar-bunny-another-espionage-cartoon/
· ESET,
2015: https://www.welivesecurity.com/2015/06/30/ dino-spying-malware-analyzed/
· Kaspersky,
2015: https://securelist.com/animals-in-the-aptfarm/ 69114/
APT27
· MITRE
ATT&CK, Group: Threat Group-3390, TG-3390, …
· Malpedia,
Emissary Panda
· APT
Groups and Operations
· 05/08/2015,
Dell Secureworks, Threat Group 3390 Cyberespionage
· 16/09/2015,
TrendMicro, Operation Iron Tiger: Attackers Shift from East Asia to the United
States Appendix
· 17/10/2016,
ThreatConnect, A Tale of Two Targets
· 27/06/2017,
Dell Secureworks, BRONZE UNION Cyberespionage Persists Despite Disclosures
· 01/02/2018,
BitDefender, Operation PZChao: a possible return of the Iron Tiger APT
· 17/04/2018,
NCC Group, Decoding network data from a Gh0st RAT variant
· 18/05/2018,
NCC Group, Emissary Panda – A potential new malicious tool
· 13/06/2018,
Securelist, LuckyMouse hits national data center to organize country-level
waterholing campaign
· 23/07/2018,
CSE, Chinese APT 27’s long-term espionage campaign in Syria is still ongoing
· 27/02/2019,
Dell Secureworks, A Peek into BRONZE UNION’s Toolbox
· 28/05/2019,
PaloAlto, Emissary Panda Attacks Middle East Government Sharepoint Servers
APT38
· 15/01/2018,
TrendMicro, New KillDisk Variant Hits Financial Organizations in Latin America,
https://blog.trendmicro.com/ trendlabs-security-intelligence/new-killdisk-variant-hits-financialorganizations-
in-latin-america/
· 12/06/2018,
Bluvector, Lazarus Group Uses KillDisk as a Distraction for SWIFT Attacks, https://www.bluvector.io/threatreport-
lazarus-group-killdisk-swift/
· 03/10/2018,
FireEye, APT38: Un-Usual Suspects, https://content. fireeye.com/apt/rpt-apt38
· 05/08/2019,
Reuters, North Korea took $2 billion in cyberattacks to fund weapons program:
U.N. report, https://www.reuters.com/
article/us-northkorea-cyber-un/north-korea-took-2-billion-in-cyberattacks-
to-fund-weapons-program-u-n-report-idUSKCN1UV1ZX
MUDDYWATER
· 16/03/2017,
Morphisec, Morphisec Discovers New Fileless Attack Framework
· 26/09/2017,
Malwarebytes, Elaborate scripting-fu used in espionage attack against Saudi
Arabia Government entity
· 04/10/2017,
Security 0wnage, Continued Activity targeting the Middle East
· 14/11/2017,
PaloAlto, Muddying the Water: Targeted Attacks in the Middle East
· 12/03/2018,
TrendMicro, Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle
East and Central Asia
· 13/03/2018,
FireEye, Iranian Threat Group Updates Tactics, Techniques and Procedures in
Spear Phishing Campaign
· 08/05/2018,
Security 0wnage, Clearing the MuddyWater - Analysis of new MuddyWater Samples
· 14/06/2018,
TrendMicro, Another Potential MuddyWater Campaign uses Powershell-based
PRB-Backdoor
· 10/10/2018,
Kaspersky, MuddyWater expands operations
· 28/11/2018,
ClearSky, MuddyWater Operations in Lebanon and Oman
· 30/11/2018,
TrendMicro, New PowerShell-based Backdoor Found in Turkey, Strikingly Similar
to MuddyWater Tools
· 07/12/2018,
Yoroi, Dissecting the MuddyWater Infection Chain
· 10/12/2018,
Symantec, Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs,
Telecoms, and IT Firms
· 21/03/2019,
360.net, Suspected MuddyWater APT organization's latest attack activity
analysis against Iraqi mobile operator Korek Telecom
· 10/04/2019,
CheckPoint, The Muddy Waters of APT Attacks
· 15/04/2019,
ClearSky, Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish
Political Groups and Organizations in Turkey
· 20/05/2019,
Talos, Recent MuddyWater-associated BlackWater campaign shows signs of new
anti-detection techniques
· 10/06/2019,
TrendMicro, New MuddyWater Activities Uncovered
· 25/06/2019,
360.net, Analysis of MuddyC3, a New Weapon Used by MuddyWater
COBALT GROUP
· MITRE,
Cobalt Group, https://attack.mitre.org/groups/G0080/
· 26/08/2016,
FireEye, RIPPER ATM Malware and the 12 Million Baht Jackpot,
https://www.fireeye.com/blog/threat-research/2016/08/ ripper_atm_malwarea.html
· 19/09/2016,
TrendMicro, Untangling the Ripper ATM Malware,
https://blog.trendmicro.com/trendlabs-security-intelligence/
untangling-ripper-atm-malware/
· 16/12/2016,
Positive Technologies, COBALT SNATCH, https://
www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt- Snatch-eng.pdf
· 01/06/2017,
proofpoint, Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by
Cobalt Group to Target Financial Institutions, https://www.proofpoint.com/us/threat-insight/post/
microsoft-word-intruder-integrates-cve-2017-0199-utilizedcobalt- group-target
· 01/08/2017,
Positive Technologies, COBALT STRIKES BACK: AN EVOLVING MULTINATIONAL THREAT TO
FINANCE, https:// www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-
2017-eng.pdf
· 07/08/2017,
TrendMicro,Backdoor-carrying Emails Set Sights on Russian-speaking Businesses,
https://blog.trendmicro.com/
trendlabs-security-intelligence/backdoor-carrying-emails-setsights-
on-russian-speaking-businesses/
· 15/08/2017,
Group-IB, Secrets of Cobalt, https://www.groupib. com/blog/cobalt
· 20/11/2017,
TrendMicro, Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759
Exploit Against Russian Banks, https://blog.trendmicro.com/trendlabs-security-intelligence/
cobalt-spam-runs-use-macros-cve-2017-8759-exploit/
· 22/11/2017,
ReversingLabs, ReversingLabs’ YARA rule detects a Cobalt payload exploiting
CVE-2017-11882, https://blog.
reversinglabs.com/blog/reversinglabs-yara-rule-detects-cobaltpayload- exploiting-cve-2017-11882
· 24/11/2017,
BleepingComputer, A Hacking Group Is Already Exploiting the Office Equation
Editor Bug-, https://www.bleepingcomputer.
com/news/security/a-hacking-group-is-already-exploiting-theoffice-
equation-editor-bug/
· 28/11/2017,
RISKIQ, Gaffe Reveals Full List of Targets in Spear Phishing Attack Using
Cobalt Strike Against Financial Institutions, https://www.riskiq.com/blog/labs/cobalt-strike/
· 16/01/2018,
RISKIQ, First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks,
https://www.riskiq.com/blog/labs/ cobalt-group-spear-phishing-russian-banks/
· 18/02/2018,
Crowdstrike, 2018 Global Threat Report, https://
crowdstrike.lookbookhq.com/global-threat-report-2018-web/
cs-2018-global-threat-report
· 26/03/2018,
EUROPOL, Mastermind behind EUR 1 billion cyber bank robbery arrested in Spain,
https://www.europol.europa.eu/
newsroom/news/mastermind-behind-eur-1-billion-cyber-bankrobbery-
arrested-in-spain
SILENT GROUP
· 01/11/2017.
Kaspersky, Silence – a new Trojan attacking financial organizations, https://securelist.com/the-silence/83009/
· 05/09/2018,
Group IB, Silence Moving into the Darkside, https:// www.group-ib.com/blog/silence
· 05/09/2018,
ZDnet, New Silence hacking group suspected of having ties to cyber-security
industry, https://www.zdnet.com/
article/new-silence-hacking-group-suspected-of-having-ties-tocyber-
security-industry/
· 24/01/2019,
Reaqta, Silence group targeting Russian Banks via Malicious CHM, https://reaqta.com/2019/01/silence-grouptargeting-
russian-banks/
· 03/07/2019,
Bleeping Computer, Silence Group Likely Behind Recent $3M Bangladesh Bank
Heist, https://www.bleepingcomputer.
com/news/security/silence-group-likely-behind-recent-3mbangladesh- bank-heist/
· 21/08/2019,
Group IB, Silence 2.0 Going Global, https://www.
group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
KELVIN SECURITY
· 2018,
InfoArmor, The Evolving Threat Landscape: Nation States, Third-Party Attacks,
and the Dark Web, https://blog.infoarmor.
com/security-professionals/threat-landscape-nation-states-thirdparty-
attacks-dark-web
· 28/10/2018,
Beyond The Perimeter, Venezuelan president’s personally identifiable
information available for sale, https://
medium.com/beyond-the-perimeter/venezuelan-presidentspersonally-
identifiable-information-available-for-sale-e315ed9575e0
· 16/02/2019,
Rogue Media Labs, Air Dominica & Costa Rican Travel Agency TourPlan.com
Hacked by KelvinSec Team, Vulnerabilities & Partial Databases Leaked
Online, https://roguemedialabs.
com/2019/02/16/air-dominica-costa-rican-travel-agencytourplan-
com-hacked-by-kelvinsec-team-vulnerabilities-partialdatabases- leaked-online/
· 15/09/2015,
SITE Intelligence Group, Website For North Carolina State Parks Allegedly
Hacked Databases Leaked, https://ent.
siteintelgroup.com/Dark-Web-and-Cyber-Security/website-fornorth-
carolina-state-parks-allegedly-hacked-databases-leaked.html
GAZA CYBERGANG
· 13/January/2012,
Walla, םיהות תשרבו ,ןוליאל שא םיבישמ םירקאהה ויתונווכ לע ,
https://news.walla.co.il/item/2500063
· 02/July/2013,
Threat Post, njRAT Espionage Malware Targets Middle Eastern Governments,
Telecoms and Energy, https://
threatpost.com/njrat-espionage-malware-targets-middle-easterngovernments-
telecoms-and-energy/101162/
· 23/August/2013,
Fire Eye, Operation Molerats: Middle East Cyber Attacks Using Poison Ivy,
https://www.fireeye.com/blog/
threat-research/2013/08/operation-molerats-middle-east-cyberattacks-
using-poison-ivy.html
· 19/February/2014,
FireEye, XtremeRAT: Nuisance or Threat?,
https://www.fireeye.com/blog/threat-research/2014/02/xtremeratnuisance-
or-threat.html
· 02/June/2014,
FireEye, Molerats, Here for Spring!, https://
www.fireeye.com/blog/threat-research/2014/06/molerats-herefor- spring.html
· 04/June/2014,
Dark Reading, Molerats Go After Governments, US Financial Institution, https://www.darkreading.com/moleratsgo-
after-governments-us-financial-institution/d/d-id/1269423
· February/2015,
Kaspersky, The Desert Falcons Targeted attacks, https://media.kasperskycontenthub.com/wp-content/uploads/
sites/43/2018/03/08064309/The-Desert-Falcons-targetedattacks. pdf
· 27/April/2015,
pwc, Attacks against Israeli & Palestinian interests,
https://pwc.blogs.com/cyber_security_updates/2015/04/attacksagainst-
israeli-palestinian-interests.html
· 28/September/2015,
Kaspersky, Gaza cybergang, where’s your IR team?, https://securelist.com/gaza-cybergang-wheres-yourir-
team/72283/
· January/2016,
ClearSky, Operation DustySky, https://www.
clearskysec.com/wp-content/uploads/2016/01/Operation%20 DustySky_TLP_WHITE.pdf
· June/2016,
ClearSky, Operation DustySky Part 2, https://www.
clearskysec.com/wp-content/uploads/2016/06/Operation-
DustySky2_-6.2016_TLP_White.pdf
· 31/January/2017,
Security Week,Gaza Cybergang Uses QuasarRAT to Target
Governments,https://www.securityweek.
com/gaza-cybergang-uses-quasarrat-target-governments
· 11/April/2017,
FireEye, CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler, https://www.fireeye.com/blog/threatresearch/
2017/04/cve-2017-0199-hta-handler.html
· 30/October/2017,
Security Week, Hamas-Linked ‘Gaza Cybergang’ Has New Tools, Targets,
https://www.securityweek.com/hamaslinked- gaza-cybergang-has-new-tools-targets
· 30/October/2017,
Kaspersky, Gaza Cybergang – updated activity in 2017,l
https://securelist.com/gaza-cybergang-updated-2017- activity/82765/
· 30/January/2018,
International Business TImes, TopHat campaign: Hackers target Middle East using
malware-laced Arabic files about political events, https://www.ibtimes.co.uk/tophat-campaignhackers-
target-middle-east-using-malware-laced-arabic-filesabout-
political-events-1657217
· 12/April/2018,
Kaspersky, Operation Parliament, who is doing what?, https://securelist.com/operation-parliament-who-isdoing-
what/85237/
· 09/July/2018,
Security Week, New Attacks on Palestine Linked to ‘Gaza Cybergang’,
https://www.securityweek.com/new-attackspalestine- linked-gaza-cybergang
· 12/September/2018,
GitHub, ThreatHunter-Playbook/playbooks/ groups/Molerats.md, https://github.com/Cyb3rWard0g/ThreatHunter-
Playbook/blob/master/playbooks/groups/Molerats.md
· 10/April/2019,
Kaspersky, The Gaza cybergang and its SneakyPastes campaign,
https://www.kaspersky.com/blog/ gaza-cybergang/26363/
· 14/February/2019,
360 Threat Intelligence, Suspected Molerats’ New Attack in the Middle East,
https://ti.360.net/blog/articles/ suspected-molerats-new-attack-in-the-middle-east-en/
· 23/April/2019,
הפיקתה תצובק ,ימואלה רבייסה ךרעמ Gaza Cybergang,
https://www.gov.il/BlobFolder/reports/gaza-cybergang/
he/GazaCybergang-CERT-IL-W-908.pdf
GHOST SQUAD HACKERS
· https://twitter.com/GhostSquadHack
· https://www.facebook.com/GhostSquadHackers/
· https://twitter.com/H4x0Rs_Ghost666/status/1000359109114281984
· https://www.youtube.com/channel/UC8PhMJ74E53sy9pqzf79q5w
· 07/01/2016,
Fossbytes, Ghost Squad Hackers Hack Ethiopian Websites In Response To Killing Of
Protesting Students, https://fossbytes.com/ghost-squad-hackers-hack-ethiopian-website-inresponse-
to-killing-of-students-during-protest/
· 21/05/2016,
HackRead, Hacktivists Shut Down Donald Trump Hotel Collections Website, https://www.hackread.com/donaldtrump-
hotel-collections-website-down/
· 23/06/2016,
HackRead, Hackers Just Leaked Personal Data of US Military Officials and it’s Legit,
https://www.hackread.com/ghost-squad-hackers-leak-us-military-data/
· 31/07/2016,
HackRead, Twitter Account of Afghan Chief Executive Dr. Abdullah Hacked, https://www.hackread.com/
twitter-account-dr-abdullah-hacked/
· 02/08/2016,
The Hack Today, Ghost Squad Hackers: Hacks Afghan Government in Protest of Ongoing
Corruption and U.S. Drug Ties, https://thehacktoday.com/hacks-afghan-governmentin-
protest/
· 02/09/2016,
Softpedia, Ghost Squad Hackers Deface 12 Afghan Government Websites, https://news.softpedia.com/news/ghost-squad-hackers-deface-12-afghan-governmentwebsites-507900.shtml
· 23/09/2016,
SecurityIntelligence,Dissecting a Hacktivist’s DDoS Tool: Saphyra Revealed, https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/
· 17/10/2018,
Security Affairs, Brazil expert discovers Oracle flaw that allows massive DDoS attacks,
https://securityaffairs.co/wordpress/77181/hacking/oracle-flaw-ddos-attacks.html
· 18/10/2018,
The Sun, YouTube HACKED? Cyber-attack group ‘Ghost Squad’ claims responsibility
for today’s outage, https://www.thesun.co.uk/tech/7514214/youtube-hack-ghost-squadcyberattack-outage-down/
· 04/01/2019,
Packt, GitHub was down first working day of 2019, hacker claims DDoS, https://hub.packtpub.com/github-wasdown-first-working-day-of-2019-hacker-claims-ddos/
· 05/01/2019,What
is DDoS, Was GitHub DDoSed On The First Working Day of 2019?, https://whatisddos.com/was-githubddosed-on-the-first-working-day-of-2019/
· 19/02/2019,Geekboots,Github
down due to DDos attack, https://www.geekboots.com/news/github-down-due-to-ddos-attack
LAZARUS
· 2019, The All-Purpose Sword: North Korea’s Cyber Operations and Strategies, https://ccdcoe.org/uploads/2019/06/Art_08_The- All-Purpose-Sword.pdf
0 Yorumlar