1. APT29

2. APT28

3. APT34



6. APT27

7. APT38







Ana Kaynaklar

·       The Cyber Threat HandBook, Thales – Verint

·       https://www.fireeye.com/current-threats/apt-groups.html

·       https://attack.mitre.org/groups/


·       https://pylos.co/2018/11/18/cozybear-in-from-the-cold/

·       https://securityaffairs.co/wordpress/78195/apt/apt29-malwareanalysis.html

·       https://www.fireeye.com/blog/threat-research/2018/11/notso-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html


·       PaloAlto, 08/11/2017, OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan

·       FireEye, 07/12/2017, New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017- 11882 Exploit

·       PaloAlto, 11/12/2017, OilRig Performs Tests on the TwoFace Webshell

·       PaloAlto, 25/01/2018, OilRig uses RGDoor IIS Backdoor on Targets in the Middle East

·       PaloAlto, 23/02/2018, OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan

·       Nyotron, 03/2018, OilRig is Back with Next-Generation Tools and Techniques

·       DragoS, 17/05/2018, CHRYSENE

·       PaloAlto, 25/07/2018, OilRig Targets Technology Service Provider and Government Agency with QUADAGENT

·       PaloAlto, 04/09/2018, OilRig targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE

·       PaloAlto, 12/09/2018, OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government

·       PaloAlto, 16/11/2018, Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery

·       CrowdStrike, 27/11/2018, Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN

·       PaloAlto, 16/04/2019, DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling

·       Talos, 23/04/2019, DNSpionage brings out the Karkoff

·       PaloAlto, 30/04/2019, Behind the Scenes with OilRig

·       Bleeping Computer, 03/06/2019, New Email Hacking Tool from OilRig APT Group Leaked Online

·       Marco Amilli, 06/06/2019, APT34: Jason project

·       eutopian.io, 16/06/2019, APT34 Tools Leak


·       MITRE, Dragonfly 2.0, https://attack.mitre.org/groups/G0074/

·       17/12/2010, Symantec, Dream Loader: the new bot C&C engine of your dreams

·       07/07/2014, Symantec, Dragonfly: Cyberespionage Attacks Against Energy Suppliers

·       27/10/2014, Netresec, Full Disclosure of Havex Trojans

·       20/10/2017, Symantec, Dragonfly: Western energy sector targeted by sophisticated attack group

·       20/10/2017, US-CERT, Alert (TA17-293A) Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors

·       16/03/2018, Cylance, Energetic DragonFly DYMALLOY Bear 2.0

·       04/04/2018, NCSC, Hostile state actors compromising UK organisations with focus on engineering and industrial control companies

·       11/07/2019, Dell Secureworks. MCMD Malware Analysis

·       11/07/2019, Dell Secureworks, Updated Karagany Malware Targets Energy Sector

·       24/07/2019, Dell Secureworks, Resurgent Iron Liberty Targeting Energy Sector


·       Security Affairs, 2017: https://securityaffairs.co/wordpress/62811/ malware/babar-2007-sample.html

·       Infosec Institute, 2015: https://resources.infosecinstitute.com/ animal-farm-apt-and-the-shadow-of-france-intelligence/#gref

·       Security Affairs, 2015: http://securityaffairs.co/wordpress/34462/ intelligence/babar-casper-french-intelligence.html

·       Security Affairs, 2015: http://securityaffairs.co/ordpress/38204/ cyber-crime/dino-malware-animal-farm.html

·       ESET, 2015: https://www.welivesecurity.com/2015/03/05/caspermalware- babar-bunny-another-espionage-cartoon/

·       ESET, 2015: https://www.welivesecurity.com/2015/06/30/ dino-spying-malware-analyzed/

·       Kaspersky, 2015: https://securelist.com/animals-in-the-aptfarm/ 69114/


·       MITRE ATT&CK, Group: Threat Group-3390, TG-3390, …

·       Malpedia, Emissary Panda

·       APT Groups and Operations

·       05/08/2015, Dell Secureworks, Threat Group 3390 Cyberespionage

·       16/09/2015, TrendMicro, Operation Iron Tiger: Attackers Shift from East Asia to the United States Appendix

·       17/10/2016, ThreatConnect, A Tale of Two Targets

·       27/06/2017, Dell Secureworks, BRONZE UNION Cyberespionage Persists Despite Disclosures

·       01/02/2018, BitDefender, Operation PZChao: a possible return of the Iron Tiger APT

·       17/04/2018, NCC Group, Decoding network data from a Gh0st RAT variant

·       18/05/2018, NCC Group, Emissary Panda – A potential new malicious tool

·       13/06/2018, Securelist, LuckyMouse hits national data center to organize country-level waterholing campaign

·       23/07/2018, CSE, Chinese APT 27’s long-term espionage campaign in Syria is still ongoing

·       27/02/2019, Dell Secureworks, A Peek into BRONZE UNION’s Toolbox

·       28/05/2019, PaloAlto, Emissary Panda Attacks Middle East Government Sharepoint Servers


·       15/01/2018, TrendMicro, New KillDisk Variant Hits Financial Organizations in Latin America, https://blog.trendmicro.com/ trendlabs-security-intelligence/new-killdisk-variant-hits-financialorganizations- in-latin-america/

·       12/06/2018, Bluvector, Lazarus Group Uses KillDisk as a Distraction for SWIFT Attacks, https://www.bluvector.io/threatreport- lazarus-group-killdisk-swift/

·       03/10/2018, FireEye, APT38: Un-Usual Suspects, https://content. fireeye.com/apt/rpt-apt38

·       05/08/2019, Reuters, North Korea took $2 billion in cyberattacks to fund weapons program: U.N. report, https://www.reuters.com/ article/us-northkorea-cyber-un/north-korea-took-2-billion-in-cyberattacks- to-fund-weapons-program-u-n-report-idUSKCN1UV1ZX


·       16/03/2017, Morphisec, Morphisec Discovers New Fileless Attack Framework

·       26/09/2017, Malwarebytes, Elaborate scripting-fu used in espionage attack against Saudi Arabia Government entity

·       04/10/2017, Security 0wnage, Continued Activity targeting the Middle East

·       14/11/2017, PaloAlto, Muddying the Water: Targeted Attacks in the Middle East

·       12/03/2018, TrendMicro, Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia

·       13/03/2018, FireEye, Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign

·       08/05/2018, Security 0wnage, Clearing the MuddyWater - Analysis of new MuddyWater Samples

·       14/06/2018, TrendMicro, Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor

·       10/10/2018, Kaspersky, MuddyWater expands operations

·       28/11/2018, ClearSky, MuddyWater Operations in Lebanon and Oman

·       30/11/2018, TrendMicro, New PowerShell-based Backdoor Found in Turkey, Strikingly Similar to MuddyWater Tools

·       07/12/2018, Yoroi, Dissecting the MuddyWater Infection Chain

·       10/12/2018, Symantec, Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms

·       21/03/2019, 360.net, Suspected MuddyWater APT organization's latest attack activity analysis against Iraqi mobile operator Korek Telecom

·       10/04/2019, CheckPoint, The Muddy Waters of APT Attacks

·       15/04/2019, ClearSky, Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey

·       20/05/2019, Talos, Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques

·       10/06/2019, TrendMicro, New MuddyWater Activities Uncovered

·       25/06/2019, 360.net, Analysis of MuddyC3, a New Weapon Used by MuddyWater


·       MITRE, Cobalt Group, https://attack.mitre.org/groups/G0080/

·       26/08/2016, FireEye, RIPPER ATM Malware and the 12 Million Baht Jackpot, https://www.fireeye.com/blog/threat-research/2016/08/ ripper_atm_malwarea.html

·       19/09/2016, TrendMicro, Untangling the Ripper ATM Malware, https://blog.trendmicro.com/trendlabs-security-intelligence/ untangling-ripper-atm-malware/

·       16/12/2016, Positive Technologies, COBALT SNATCH, https:// www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt- Snatch-eng.pdf

·       01/06/2017, proofpoint, Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions, https://www.proofpoint.com/us/threat-insight/post/ microsoft-word-intruder-integrates-cve-2017-0199-utilizedcobalt- group-target

·       01/08/2017, Positive Technologies, COBALT STRIKES BACK: AN EVOLVING MULTINATIONAL THREAT TO FINANCE, https:// www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt- 2017-eng.pdf

·       07/08/2017, TrendMicro,Backdoor-carrying Emails Set Sights on Russian-speaking Businesses, https://blog.trendmicro.com/ trendlabs-security-intelligence/backdoor-carrying-emails-setsights- on-russian-speaking-businesses/

·       15/08/2017, Group-IB, Secrets of Cobalt, https://www.groupib. com/blog/cobalt

·       20/11/2017, TrendMicro, Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks, https://blog.trendmicro.com/trendlabs-security-intelligence/ cobalt-spam-runs-use-macros-cve-2017-8759-exploit/

·       22/11/2017, ReversingLabs, ReversingLabs’ YARA rule detects a Cobalt payload exploiting CVE-2017-11882, https://blog. reversinglabs.com/blog/reversinglabs-yara-rule-detects-cobaltpayload- exploiting-cve-2017-11882

·       24/11/2017, BleepingComputer, A Hacking Group Is Already Exploiting the Office Equation Editor Bug-, https://www.bleepingcomputer. com/news/security/a-hacking-group-is-already-exploiting-theoffice- equation-editor-bug/

·       28/11/2017, RISKIQ, Gaffe Reveals Full List of Targets in Spear Phishing Attack Using Cobalt Strike Against Financial Institutions, https://www.riskiq.com/blog/labs/cobalt-strike/

·       16/01/2018, RISKIQ, First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks, https://www.riskiq.com/blog/labs/ cobalt-group-spear-phishing-russian-banks/

·       18/02/2018, Crowdstrike, 2018 Global Threat Report, https:// crowdstrike.lookbookhq.com/global-threat-report-2018-web/ cs-2018-global-threat-report

·       26/03/2018, EUROPOL, Mastermind behind EUR 1 billion cyber bank robbery arrested in Spain, https://www.europol.europa.eu/ newsroom/news/mastermind-behind-eur-1-billion-cyber-bankrobbery- arrested-in-spain


·       01/11/2017. Kaspersky, Silence – a new Trojan attacking financial organizations, https://securelist.com/the-silence/83009/

·       05/09/2018, Group IB, Silence Moving into the Darkside, https:// www.group-ib.com/blog/silence

·       05/09/2018, ZDnet, New Silence hacking group suspected of having ties to cyber-security industry, https://www.zdnet.com/ article/new-silence-hacking-group-suspected-of-having-ties-tocyber- security-industry/

·       24/01/2019, Reaqta, Silence group targeting Russian Banks via Malicious CHM, https://reaqta.com/2019/01/silence-grouptargeting- russian-banks/

·       03/07/2019, Bleeping Computer, Silence Group Likely Behind Recent $3M Bangladesh Bank Heist, https://www.bleepingcomputer. com/news/security/silence-group-likely-behind-recent-3mbangladesh- bank-heist/

·       21/08/2019, Group IB, Silence 2.0 Going Global, https://www. group-ib.com/resources/threat-research/silence_2.0.going_global.pdf


·       2018, InfoArmor, The Evolving Threat Landscape: Nation States, Third-Party Attacks, and the Dark Web, https://blog.infoarmor. com/security-professionals/threat-landscape-nation-states-thirdparty- attacks-dark-web

·       28/10/2018, Beyond The Perimeter, Venezuelan president’s personally identifiable information available for sale, https:// medium.com/beyond-the-perimeter/venezuelan-presidentspersonally- identifiable-information-available-for-sale-e315ed9575e0

·       16/02/2019, Rogue Media Labs, Air Dominica & Costa Rican Travel Agency TourPlan.com Hacked by KelvinSec Team, Vulnerabilities & Partial Databases Leaked Online, https://roguemedialabs. com/2019/02/16/air-dominica-costa-rican-travel-agencytourplan- com-hacked-by-kelvinsec-team-vulnerabilities-partialdatabases- leaked-online/

·       15/09/2015, SITE Intelligence Group, Website For North Carolina State Parks Allegedly Hacked Databases Leaked, https://ent. siteintelgroup.com/Dark-Web-and-Cyber-Security/website-fornorth- carolina-state-parks-allegedly-hacked-databases-leaked.html


·       13/January/2012, Walla, םיהות תשרבו ,ןוליאל שא םיבישמ םירקאהה ויתונווכ לע , https://news.walla.co.il/item/2500063

·       02/July/2013, Threat Post, njRAT Espionage Malware Targets Middle Eastern Governments, Telecoms and Energy, https:// threatpost.com/njrat-espionage-malware-targets-middle-easterngovernments- telecoms-and-energy/101162/

·       23/August/2013, Fire Eye, Operation Molerats: Middle East Cyber Attacks Using Poison Ivy, https://www.fireeye.com/blog/ threat-research/2013/08/operation-molerats-middle-east-cyberattacks- using-poison-ivy.html

·       19/February/2014, FireEye, XtremeRAT: Nuisance or Threat?, https://www.fireeye.com/blog/threat-research/2014/02/xtremeratnuisance- or-threat.html

·       02/June/2014, FireEye, Molerats, Here for Spring!, https:// www.fireeye.com/blog/threat-research/2014/06/molerats-herefor- spring.html

·       04/June/2014, Dark Reading, Molerats Go After Governments, US Financial Institution, https://www.darkreading.com/moleratsgo- after-governments-us-financial-institution/d/d-id/1269423

·       February/2015, Kaspersky, The Desert Falcons Targeted attacks, https://media.kasperskycontenthub.com/wp-content/uploads/ sites/43/2018/03/08064309/The-Desert-Falcons-targetedattacks. pdf

·       27/April/2015, pwc, Attacks against Israeli & Palestinian interests, https://pwc.blogs.com/cyber_security_updates/2015/04/attacksagainst- israeli-palestinian-interests.html

·       28/September/2015, Kaspersky, Gaza cybergang, where’s your IR team?, https://securelist.com/gaza-cybergang-wheres-yourir- team/72283/

·       January/2016, ClearSky, Operation DustySky, https://www. clearskysec.com/wp-content/uploads/2016/01/Operation%20 DustySky_TLP_WHITE.pdf

·       June/2016, ClearSky, Operation DustySky Part 2, https://www. clearskysec.com/wp-content/uploads/2016/06/Operation- DustySky2_-6.2016_TLP_White.pdf

·       31/January/2017, Security Week,Gaza Cybergang Uses QuasarRAT to Target Governments,https://www.securityweek. com/gaza-cybergang-uses-quasarrat-target-governments

·       11/April/2017, FireEye, CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler, https://www.fireeye.com/blog/threatresearch/ 2017/04/cve-2017-0199-hta-handler.html

·       30/October/2017, Security Week, Hamas-Linked ‘Gaza Cybergang’ Has New Tools, Targets, https://www.securityweek.com/hamaslinked- gaza-cybergang-has-new-tools-targets

·       30/October/2017, Kaspersky, Gaza Cybergang – updated activity in 2017,l https://securelist.com/gaza-cybergang-updated-2017- activity/82765/

·       30/January/2018, International Business TImes, TopHat campaign: Hackers target Middle East using malware-laced Arabic files about political events, https://www.ibtimes.co.uk/tophat-campaignhackers- target-middle-east-using-malware-laced-arabic-filesabout- political-events-1657217

·       12/April/2018, Kaspersky, Operation Parliament, who is doing what?, https://securelist.com/operation-parliament-who-isdoing- what/85237/

·       09/July/2018, Security Week, New Attacks on Palestine Linked to ‘Gaza Cybergang’, https://www.securityweek.com/new-attackspalestine- linked-gaza-cybergang

·       12/September/2018, GitHub, ThreatHunter-Playbook/playbooks/ groups/Molerats.md, https://github.com/Cyb3rWard0g/ThreatHunter- Playbook/blob/master/playbooks/groups/Molerats.md

·       10/April/2019, Kaspersky, The Gaza cybergang and its SneakyPastes campaign, https://www.kaspersky.com/blog/ gaza-cybergang/26363/

·       14/February/2019, 360 Threat Intelligence, Suspected Molerats’ New Attack in the Middle East, https://ti.360.net/blog/articles/ suspected-molerats-new-attack-in-the-middle-east-en/

·       23/April/2019, הפיקתה תצובק ,ימואלה רבייסה ךרעמ Gaza Cybergang, https://www.gov.il/BlobFolder/reports/gaza-cybergang/ he/GazaCybergang-CERT-IL-W-908.pdf


·       https://twitter.com/GhostSquadHack

·       https://www.facebook.com/GhostSquadHackers/

·       https://twitter.com/H4x0Rs_Ghost666/status/1000359109114281984

·       https://www.youtube.com/channel/UC8PhMJ74E53sy9pqzf79q5w

·       07/01/2016, Fossbytes, Ghost Squad Hackers Hack Ethiopian Websites In Response To Killing Of Protesting Students, https://fossbytes.com/ghost-squad-hackers-hack-ethiopian-website-inresponse- to-killing-of-students-during-protest/

·       21/05/2016, HackRead, Hacktivists Shut Down Donald Trump Hotel Collections Website, https://www.hackread.com/donaldtrump- hotel-collections-website-down/

·       23/06/2016, HackRead, Hackers Just Leaked Personal Data of US Military Officials and it’s Legit, https://www.hackread.com/ghost-squad-hackers-leak-us-military-data/

·       31/07/2016, HackRead, Twitter Account of Afghan Chief Executive Dr. Abdullah Hacked, https://www.hackread.com/ twitter-account-dr-abdullah-hacked/

·       02/08/2016, The Hack Today, Ghost Squad Hackers: Hacks Afghan Government in Protest of Ongoing Corruption and U.S. Drug Ties, https://thehacktoday.com/hacks-afghan-governmentin- protest/

·       02/09/2016, Softpedia, Ghost Squad Hackers Deface 12 Afghan Government Websites, https://news.softpedia.com/news/ghost-squad-hackers-deface-12-afghan-governmentwebsites-507900.shtml

·       23/09/2016, SecurityIntelligence,Dissecting a Hacktivist’s DDoS Tool: Saphyra Revealed, https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/

·       17/10/2018, Security Affairs, Brazil expert discovers Oracle flaw that allows massive DDoS attacks, https://securityaffairs.co/wordpress/77181/hacking/oracle-flaw-ddos-attacks.html

·       18/10/2018, The Sun, YouTube HACKED? Cyber-attack group ‘Ghost Squad’ claims responsibility for today’s outage, https://www.thesun.co.uk/tech/7514214/youtube-hack-ghost-squadcyberattack-outage-down/

·       04/01/2019, Packt, GitHub was down first working day of 2019, hacker claims DDoS, https://hub.packtpub.com/github-wasdown-first-working-day-of-2019-hacker-claims-ddos/

·       05/01/2019,What is DDoS, Was GitHub DDoSed On The First Working Day of 2019?, https://whatisddos.com/was-githubddosed-on-the-first-working-day-of-2019/

·       19/02/2019,Geekboots,Github down due to DDos attack, https://www.geekboots.com/news/github-down-due-to-ddos-attack


·       2019, The All-Purpose Sword: North Korea’s Cyber Operations and Strategies, https://ccdcoe.org/uploads/2019/06/Art_08_The- All-Purpose-Sword.pdf

Yorum Gönder

0 Yorumlar