Obtain Capabilities: Инструменты
Other sub-techniques of Obtain Capabilities (7)
Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019) Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).
Примеры процедур |
|
Название | Описание |
---|---|
DarkVishnya |
DarkVishnya has obtained and used tools such as Impacket, Winexe, and PsExec.(Citation: Securelist DarkVishnya Dec 2018) |
Turla |
Turla has obtained and customized publicly-available tools like Mimikatz.(Citation: Symantec Waterbug Jun 2019) |
During the C0032 campaign, TEMP.Veles obtained and used tools such as Mimikatz and PsExec.(Citation: FireEye TRITON 2019) |
|
Inception |
Inception has obtained and used open-source tools such as LaZagne.(Citation: Kaspersky Cloud Atlas August 2019) |
Magic Hound |
Magic Hound has obtained and used tools like Havij, sqlmap, Metasploit, Mimikatz, and Plink.(Citation: Check Point Rocket Kitten)(Citation: FireEye APT35 2018)(Citation: Check Point APT35 CharmPower January 2022)(Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021) |
For Operation Spalax, the threat actors obtained packers such as CyaX.(Citation: ESET Operation Spalax Jan 2021) |
|
BITTER |
BITTER has obtained tools such as PuTTY for use in their operations.(Citation: Forcepoint BITTER Pakistan Oct 2016) |
Kimsuky |
Kimsuky has obtained and used tools such as Nirsoft WebBrowserPassVIew, Mimikatz, and PsExec.(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021)(Citation: Mandiant APT43 March 2024) |
BlackTech |
BlackTech has obtained and used tools such as Putty, SNScan, and PsExec for its operations.(Citation: Symantec Palmerworm Sep 2020) |
MuddyWater |
MuddyWater has used legitimate tools ConnectWise, RemoteUtilities, and SimpleHelp to gain access to the target environment.(Citation: Anomali Static Kitten February 2021)(Citation: group-ib_muddywater_infra) |
LAPSUS$ |
LAPSUS$ has obtained tools such as RVTools and AD Explorer for their operations.(Citation: MSTIC DEV-0537 Mar 2022)(Citation: NCC Group LAPSUS Apr 2022) |
In the Triton Safety Instrumented System Attack, TEMP.Veles used tools such as Mimikatz and other open-source software.(Citation: FireEye TEMP.Veles 2018) |
|
Leafminer |
Leafminer has obtained and used tools such as LaZagne, Mimikatz, PsExec, and MailSniper.(Citation: Symantec Leafminer July 2018) |
APT29 |
APT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.(Citation: Mandiant No Easy Breach)(Citation: F-Secure The Dukes)(Citation: Mandiant APT29 Eye Spy Email Nov 22) |
APT28 |
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.(Citation: Palo Alto Sofacy 06-2018)(Citation: Securelist Sofacy Feb 2018)(Citation: FireEye APT28 Hospitality Aug 2017) |
Wizard Spider |
Wizard Spider has utilized tools such as Empire, Cobalt Strike, Cobalt Strike, Rubeus, AdFind, BloodHound, Metasploit, Advanced IP Scanner, Nirsoft PingInfoView, and SoftPerfect Network Scanner for targeting efforts.(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: Mandiant FIN12 Oct 2021) |
Ember Bear |
Ember Bear has obtained and used open source scripts from GitHub.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
BRONZE BUTLER |
BRONZE BUTLER has obtained and used open-source tools such as Mimikatz, gsecdump, and Windows Credential Editor.(Citation: Symantec Tick Apr 2016) |
menuPass |
menuPass has used and modified open-source tools like Impacket, Mimikatz, and pwdump.(Citation: PWC Cloud Hopper Technical Annex April 2017) |
APT41 |
APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.(Citation: FireEye APT41 Aug 2019) |
FIN8 |
FIN8 has used open-source tools such as Impacket for targeting efforts.(Citation: Bitdefender Sardonic Aug 2021) |
TA505 |
TA505 has used a variety of tools in their operations, including AdFind, BloodHound, Mimikatz, and PowerSploit.(Citation: NCC Group TA505) |
APT39 |
APT39 has modified and used customized versions of publicly-available tools like PLINK and Mimikatz.(Citation: BitDefender Chafer May 2020)(Citation: IBM ITG07 June 2019) |
GALLIUM |
GALLIUM has used a variety of widely-available tools, which in some cases they modified to add functionality and/or subvert antimalware solutions.(Citation: Microsoft GALLIUM December 2019) |
Cleaver |
Cleaver has obtained and used open-source tools such as PsExec, Windows Credential Editor, and Mimikatz.(Citation: Cylance Cleaver) |
BackdoorDiplomacy |
BackdoorDiplomacy has obtained a variety of open-source reconnaissance and red team tools for discovery and lateral movement.(Citation: ESET BackdoorDiplomacy Jun 2021) |
Cinnamon Tempest |
Cinnamon Tempest has used open-source tools including customized versions of the Iox proxy tool, NPS tunneling tool, Meterpreter, and a keylogger that uploads data to Alibaba cloud storage.(Citation: Sygnia Emperor Dragonfly October 2022)(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022) |
TA2541 |
TA2541 has used commodity remote access tools.(Citation: Cisco Operation Layover September 2021) |
FIN6 |
FIN6 has obtained and used tools such as Mimikatz, Cobalt Strike, and AdFind.(Citation: Security Intelligence More Eggs Aug 2019)(Citation: FireEye FIN6 Apr 2019) |
Sandworm Team |
Sandworm Team has acquired open-source tools for their operations, including Invoke-PSImage, which was used to establish an encrypted channel from a compromised host to Sandworm Team's C2 server in preparation for the 2018 Winter Olympics attack, as well as Impacket and RemoteExec, which were used in their 2022 Prestige operations.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Microsoft Prestige ransomware October 2022) Additionally, Sandworm Team has used Empire, Cobalt Strike and PoshC2.(Citation: mandiant_apt44_unearthing_sandworm) |
Patchwork |
Patchwork has obtained and used open-source tools such as QuasarRAT.(Citation: Volexity Patchwork June 2018) |
FIN7 |
FIN7 has utilized a variety of tools such as Cobalt Strike, PowerSploit, and the remote management tool, Atera for targeting efforts.(Citation: Mandiant FIN7 Apr 2022) |
For Operation CuckooBees, the threat actors obtained publicly-available JSP code that was used to deploy a webshell onto a compromised server.(Citation: Cybereason OperationCuckooBees May 2022) |
|
LuminousMoth |
LuminousMoth has obtained an ARP spoofing tool from GitHub.(Citation: Bitdefender LuminousMoth July 2021) |
During Night Dragon, threat actors obtained and used tools such as gsecdump.(Citation: McAfee Night Dragon) |
|
APT-C-36 |
APT-C-36 obtained and used a modified variant of Imminent Monitor.(Citation: QiAnXin APT-C-36 Feb2019) |
WIRTE |
WIRTE has obtained and used Empire for post-exploitation activities.(Citation: Lab52 WIRTE Apr 2019) |
FIN13 |
FIN13 has utilized publicly available tools such as Mimikatz, Impacket, PWdump7, ProcDump, Nmap, and Incognito V2 for targeting efforts.(Citation: Sygnia Elephant Beetle Jan 2022) |
Cobalt Group |
Cobalt Group has obtained and used a variety of tools including Mimikatz, PsExec, Cobalt Strike, and SDelete.(Citation: PTSecurity Cobalt Dec 2016) |
For C0021, the threat actors used Cobalt Strike configured with a modified variation of the publicly available Pandora Malleable C2 Profile.(Citation: FireEye APT29 Nov 2018)(Citation: Microsoft Unidentified Dec 2018) |
|
Ke3chang |
Ke3chang has obtained and used tools such as Mimikatz.(Citation: NCC Group APT15 Alive and Strong) |
Threat Group-3390 |
Threat Group-3390 has obtained and used tools such as Impacket, pwdump, Mimikatz, gsecdump, NBTscan, and Windows Credential Editor.(Citation: Unit42 Emissary Panda May 2019)(Citation: Dell TG-3390) |
Lazarus Group |
Lazarus Group has obtained a variety of tools for their operations, including Responder and PuTTy PSCP.(Citation: Kaspersky ThreatNeedle Feb 2021) |
FIN5 |
FIN5 has obtained and used a customized version of PsExec, as well as use other tools such as pwdump, SDelete, and Windows Credential Editor.(Citation: Mandiant FIN5 GrrCON Oct 2016) |
Thrip |
Thrip has obtained and used tools such as Mimikatz and PsExec.(Citation: Symantec Thrip June 2018) |
Moses Staff |
Moses Staff has used the commercial tool DiskCryptor.(Citation: Checkpoint MosesStaff Nov 2021) |
For Operation Wocao, the threat actors obtained a variety of open source tools, including JexBoss, KeeThief, and BloodHound.(Citation: FoxIT Wocao December 2019) |
|
During CostaRicto, the threat actors obtained open source tools to use in their operations.(Citation: BlackBerry CostaRicto November 2020) |
|
POLONIUM |
POLONIUM has obtained and used tools such as AirVPN and plink in their operations.(Citation: Microsoft POLONIUM June 2022) |
PittyTiger |
PittyTiger has obtained and used tools such as Mimikatz and gsecdump.(Citation: Bizeul 2014) |
HEXANE |
HEXANE has acquired, and sometimes customized, open source tools such as Mimikatz, Empire, VNC remote access software, and DIG.net.(Citation: Kaspersky Lyceum October 2021)(Citation: SecureWorks August 2019)(Citation: Zscaler Lyceum DnsSystem June 2022) |
Whitefly |
Whitefly has obtained and used tools such as Mimikatz.(Citation: Symantec Whitefly March 2019) |
FIN10 |
FIN10 has relied on publicly-available software to gain footholds and establish persistence in victim environments.(Citation: FireEye FIN10 June 2017) |
INC Ransom |
INC Ransom has acquired and used several tools including MegaSync, AnyDesk, esentutl and PsExec.(Citation: Cybereason INC Ransomware November 2023)(Citation: Huntress INC Ransom Group August 2023)(Citation: SOCRadar INC Ransom January 2024)(Citation: Huntress INC Ransomware May 2024)(Citation: SentinelOne INC Ransomware) |
Dragonfly |
Dragonfly has obtained and used tools such as Mimikatz, CrackMapExec, and PsExec.(Citation: Secureworks IRON LIBERTY July 2019) |
IndigoZebra |
IndigoZebra has acquired open source tools such as NBTscan and Meterpreter for their operations.(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017) |
Aquatic Panda |
Aquatic Panda has acquired and used Cobalt Strike in its operations.(Citation: CrowdStrike AQUATIC PANDA December 2021) |
Aoqin Dragon |
Aoqin Dragon obtained the Heyoka open source exfiltration tool and subsequently modified it for their operations.(Citation: SentinelOne Aoqin Dragon June 2022) |
APT38 |
APT38 has obtained and used open-source tools such as Mimikatz.(Citation: ESET Lazarus KillDisk April 2018) |
Earth Lusca |
Earth Lusca has acquired and used a variety of open source tools.(Citation: TrendMicro EarthLusca 2022) |
APT33 |
APT33 has obtained and leveraged publicly-available tools for early intrusion activities.(Citation: FireEye APT33 Guardrail)(Citation: Symantec Elfin Mar 2019) |
For Operation Dream Job, Lazarus Group obtained tools such as Wake-On-Lan, Responder, ChromePass, and dbxcli.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020) |
|
Ferocious Kitten |
Ferocious Kitten has obtained open source tools for its operations, including JsonCPP and Psiphon.(Citation: Kaspersky Ferocious Kitten Jun 2021) |
APT32 |
APT32 has obtained and used tools such as Mimikatz and Cobalt Strike, and a variety of other open-source tools from GitHub.(Citation: FireEye APT32 May 2017)(Citation: Cybereason Oceanlotus May 2017) |
For C0018, the threat actors acquired a variety of open source tools, including Mimikatz, Sliver, SoftPerfect Network Scanner, AnyDesk, and PDQ Deploy.(Citation: Cisco Talos Avos Jun 2022)(Citation: Costa AvosLocker May 2022) |
|
Star Blizzard |
Star Blizzard has incorporated the open-source EvilGinx framework into their spearphishing activity.(Citation: CISA Star Blizzard Advisory December 2023)(Citation: StarBlizzard) |
Gorgon Group |
Gorgon Group has obtained and used tools such as QuasarRAT and Remcos.(Citation: Unit 42 Gorgon Group Aug 2018) |
Silence |
Silence has obtained and modified versions of publicly-available tools like Empire and PsExec.(Citation: Group IB Silence Aug 2019) (Citation: SecureList Silence Nov 2017) |
Gamaredon Group |
Gamaredon Group has used various legitimate tools, such as `mshta.exe` and Reg, and services during operations.(Citation: unit42_gamaredon_dec2022) |
Chimera |
Chimera has obtained and used tools such as BloodHound, Cobalt Strike, Mimikatz, and PsExec.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021) |
Metador |
Metador has used Microsoft's Console Debugger in some of their operations.(Citation: SentinelLabs Metador Sept 2022) |
CopyKittens |
CopyKittens has used Metasploit, Empire, and AirVPN for post-exploitation activities.(Citation: ClearSky and Trend Micro Operation Wilted Tulip July 2017)(Citation: Microsoft POLONIUM June 2022) |
Silent Librarian |
Silent Librarian has obtained free and publicly available tools including SingleFile and HTTrack to copy login pages of targeted organizations.(Citation: Proofpoint TA407 September 2019)(Citation: Secureworks COBALT DICKENS September 2019) |
During C0027, Scattered Spider obtained and used multiple tools including the LINpeas privilege escalation utility, aws_consoler, rsocx reverse proxy, Level RMM tool, and RustScan port scanner.(Citation: Crowdstrike TELCO BPO Campaign December 2022) |
|
Play |
Play has used multiple tools for discovery and defense evasion purposes on compromised hosts.(Citation: CISA Play Ransomware Advisory December 2023) |
For C0010, UNC3890 actors obtained multiple publicly-available tools, including METASPLOIT, UNICORN, and NorthStar C2.(Citation: Mandiant UNC3890 Aug 2022) |
|
TEMP.Veles |
TEMP.Veles has obtained and used tools such as Mimikatz and PsExec.(Citation: FireEye TRITON 2019) |
Volt Typhoon |
Volt Typhoon has used legitimate network and forensic tools and customized versions of open-source tools for C2.(Citation: Microsoft Volt Typhoon May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
For Frankenstein, the threat actors obtained and used Empire.(Citation: Talos Frankenstein June 2019) |
|
APT19 |
APT19 has obtained and used publicly-available tools like Empire.(Citation: NCSC Joint Report Public Tools)(Citation: FireEye APT19) |
For C0015, the threat actors obtained a variety of tools, including AdFind, AnyDesk, and Process Hacker.(Citation: DFIR Conti Bazar Nov 2021) |
|
For C0017, APT41 obtained publicly available tools such as YSoSerial.NET, ConfuserEx, and BadPotato.(Citation: Mandiant APT41) |
|
For FunnyDream, the threat actors used a modified version of the open source PcShare remote administration tool.(Citation: Bitdefender FunnyDream Campaign November 2020) |
|
During HomeLand Justice, threat actors used tools including Advanced Port Scanner, Mimikatz, and Impacket.(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Microsoft Albanian Government Attacks September 2022) |
|
Blue Mockingbird |
Blue Mockingbird has obtained and used tools such as Mimikatz.(Citation: RedCanary Mockingbird May 2020) |
During Cutting Edge, threat actors leveraged tools including Interactsh to identify vulnerable targets, PySoxy to simultaneously dispatch traffic between multiple endpoints, BusyBox to enable post exploitation activities, and Kubo Injector to inject shared objects into process memory.(Citation: Mandiant Cutting Edge January 2024)(Citation: Mandiant Cutting Edge Part 3 February 2024) |
|
APT1 |
APT1 has used various open-source tools for privilege escalation purposes.(Citation: Mandiant APT1) |
Carbanak |
Carbanak has obtained and used open-source tools such as PsExec and Mimikatz.(Citation: Kaspersky Carbanak) |
DarkHydrus |
DarkHydrus has obtained and used tools such as Mimikatz, Empire, and Cobalt Strike.(Citation: Unit 42 DarkHydrus July 2018) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Pre-compromise |
This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques. |
Обнаружение
In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in Cobalt Strike payloads.(Citation: Analyzing CS Dec 2020) Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.
Ссылки
- Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
- Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
- Recorded Future. (2019, June 20). Out of the Blue: How Recorded Future Identified Rogue Cobalt Strike Servers. Retrieved September 16, 2024.
- Maynier, E. (2020, December 20). Analyzing Cobalt Strike for Fun and Profit. Retrieved October 12, 2021.
- Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020.
- Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
- GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
- MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
- Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
- DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
- Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
- Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.
- M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
- Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
- Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.
- ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
- An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
- Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022.
- Rostovcev, N. (2023, April 18). SimpleHarm: Tracking MuddyWater’s infrastructure. Retrieved July 11, 2024.
- Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
- MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
- Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022.
- FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.
- Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
- Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
- Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.
- Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
- Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
- Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
- Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
- DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
- Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.
- Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
- McMillen, D. Sperry, C. (2019, June 14). Observations of ITG07 Cyber Operations. Retrieved May 17, 2021.
- MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
- Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
- Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
- Counter Threat Unit Research Team . (2022, June 23). BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER. Retrieved December 7, 2023.
- Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
- Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
- McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
- Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
- Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
- Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.
- MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
- Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
- Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
- Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
- Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
- McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
- QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
- S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
- Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
- Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
- Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.
- Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
- Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
- Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
- Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
- Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
- Security Response Attack Investigation Team. (2018, June 19). Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies. Retrieved July 10, 2018.
- Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
- Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
- Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015.
- Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.
- SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
- Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
- Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.
- FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
- Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
- SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024.
- SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024.
- Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
- Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024.
- Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.
- Kaspersky Lab's Global Research & Analysis Team. (2017, August 8). APT Trends report Q2 2017. Retrieved February 15, 2018.
- CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
- Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
- Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
- Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.
- Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
- Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
- ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
- Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
- GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
- Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
- Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
- Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.
- Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
- Microsoft Threat Intelligence. (2023, December 7). Star Blizzard increases sophistication and evasion in ongoing attacks. Retrieved February 13, 2024.
- CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024.
- Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
- GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
- Group-IB. (2019, August). Silence 2.0: Going Global. Retrieved May 5, 2020.
- Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.
- Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
- Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..
- Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
- ClearSky and Trend Micro. (2017, July). Operation Wilted Tulip - Exposing a cyber espionage apparatus. Retrieved May 17, 2021.
- Counter Threat Unit Research Team. (2019, September 11). COBALT DICKENS Goes Back to School…Again. Retrieved February 3, 2021.
- Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.
- Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
- CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.
- Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
- Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
- CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
- Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
- Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
- The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
- DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
- Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
- Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
- MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
- CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
- Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
- McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
- Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
- Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
- Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.