summaryrefslogtreecommitdiff
path: root/profiles.yaml
diff options
context:
space:
mode:
Diffstat (limited to 'profiles.yaml')
-rw-r--r--profiles.yaml1588
1 files changed, 1588 insertions, 0 deletions
diff --git a/profiles.yaml b/profiles.yaml
new file mode 100644
index 0000000..b9759c4
--- /dev/null
+++ b/profiles.yaml
@@ -0,0 +1,1588 @@
+# SPDX-License-Identifier: CC0-1.0
+#
+# Copyright (C) 2024 Wojtek Kosior <koszko@koszko.org>
+---
+# "targets" are countries, groups thereof or regions of Earth. Only to most
+# often attacked ones are listed for each group. A country listed for one group
+# may overlap with a region listed (for example: for APT12 we have "Taiwan"
+# listed next to "East Asia
+groups:
+ - name: admin@338
+ origin: China
+ targets:
+ - where: HongKong
+ ref: china-based-threat
+ sectors:
+ - sector: defense
+ ref: rpt-poison-ivy
+ - sector: government
+ ref: rpt-poison-ivy
+ - sector: finance # "finance, economic and trade policy" in our source
+ ref: [rpt-poison-ivy, china-based-threat]
+ - sector: telecommunications/satellites # only "telecommunications" in our
+ # source
+ ref: rpt-poison-ivy
+ - sector: media
+ ref: china-based-threat
+ goals:
+ - goal: espionage
+ ref: china-based-threat
+ references:
+ - label: rpt-poison-ivy
+ URL: https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf
+ - label: china-based-threat
+ URL: https://cloud.google.com/blog/topics/threat-intelligence/china-based-threat/
+
+ - name: Agrius
+ origin: Iran
+ targets:
+ - where: Israel
+ ref: [evol-agrius, agrius-moneybird]
+ - where: Middle East
+ ref: evol-agrius
+ sectors:
+ - sector: education
+ ref: agrius-moneybird
+ - sector: insurance
+ ref: agrius-moneybird
+ goals:
+ - goal: espionage
+ ref: evol-agrius
+ - goal: disruption
+ ref: [evol-agrius, agrius-moneybird]
+ - goal: extortion
+ ref: [evol-agrius, agrius-moneybird]
+ references:
+ - label: evol-agrius
+ URL: https://assets.sentinelone.com/sentinellabs/evol-agrius
+ - label: agrius-moneybird
+ URL: https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/
+
+ - name: ALLANITE
+ origin: Russia
+ targets:
+ - where: US
+ ref: dragos-allanite
+ - where: UK
+ ref: dragos-allanite
+ sectors:
+ - sector: energy # "electric utility" in our source
+ ref: dragos-allanite
+ goals:
+ - goal: espionage
+ ref: dragos-allanite
+ - goal: disruption
+ ref: dragos-allanite
+ references:
+ - label: dragos-allanite
+ URL: https://www.dragos.com/threat/allanite/
+
+ - name: Aoqin Dragon
+ origin: China
+ targets:
+ - where: East Asia # "southeast Asia" in the source
+ ref: aoqin-newly-discovered
+ - where: Australia
+ ref: aoqin-newly-discovered
+ sectors:
+ - sector: government
+ ref: aoqin-newly-discovered
+ - sector: education
+ ref: aoqin-newly-discovered
+ - sector: telecommunications/satellites # only "telecommunications" in our
+ # source
+ ref: aoqin-newly-discovered
+ goals:
+ - goal: espionage
+ ref: aoqin-newly-discovered
+ references:
+ - label: aoqin-newly-discovered
+ URL: https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/
+
+ - name: APT1
+ origin: China
+ targets:
+ - where: US
+ ref: mandiant-apt1-report
+ sectors:
+ - sector: information technology
+ ref: mandiant-apt1-report
+ - sector: aerospace
+ ref: mandiant-apt1-report
+ - sector: public administration
+ ref: mandiant-apt1-report
+ - sector: public administration
+ ref: mandiant-apt1-report
+ - sector: telecommunications/satellites
+ ref: mandiant-apt1-report
+ - sector: scientific research and consulting
+ ref: mandiant-apt1-report
+ - sector: energy
+ ref: mandiant-apt1-report
+ - sector: transportation
+ ref: mandiant-apt1-report
+ - sector: construction/manufacturing # "construction and manufacturing"
+ # in our source
+ ref: mandiant-apt1-report
+ - sector: non-government organizations # "international organizations" in
+ # our source
+ ref: mandiant-apt1-report
+ - sector: engineering services
+ ref: mandiant-apt1-report
+ - sector: electronics
+ ref: mandiant-apt1-report
+ - sector: legal services
+ ref: mandiant-apt1-report
+ - sector: media # "media, advertising and entertainment" in our source
+ ref: mandiant-apt1-report
+ - sector: navigation
+ ref: mandiant-apt1-report
+ goals:
+ - goal: espionage
+ ref: mandiant-apt1-report
+ references:
+ - label: mandiant-apt1-report
+ ref: https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf
+
+ - name: APT12
+ origin: China
+ targets:
+ - where: East Asia
+ ref: microtrends-ixeshe
+ - where: Taiwan
+ ref: microtrends-ixeshe
+ sectors:
+ - sector: electronics
+ ref: microtrends-ixeshe
+ - sector: telecommunications/satellites # only "telecommunications" in our
+ # source
+ ref: microtrends-ixeshe
+ goals:
+ - goal: espionage
+ ref: mandiant-2014-report
+ references:
+ - label: mandiant-2014-report
+ URL: https://web.archive.org/web/20140913050920/https://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf
+ - label: microtrends-ixeshe # uses name "IXESHE" rather than "APT12"
+ URL: https://web.archive.org/web/20190808160128/https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf
+
+ - name: APT16
+ origin: China
+ targets:
+ - where: Taiwan
+ ref: the-eps-awakens
+ sectors:
+ # The source mentions more attacks but doesn't attribute them with
+ # certainty to APT16.
+ - sector: media # "media and entertainment" in our source
+ ref: the-eps-awakens
+ goals:
+ - goal: espionage
+ references:
+ - label: the-eps-awakens
+ URL: https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html
+
+ - name: APT17
+ origin: China
+ targets:
+ - where: US
+ ref: apt17-report
+ sectors:
+ - sector: government
+ ref: apt17-report
+ - sector: defense
+ ref: apt17-report
+ - sector: information technology
+ ref: apt17-report
+ - sector: legal services # "law firms" in our source
+ ref: apt17-report
+ - sector: mining
+ ref: apt17-report
+ - sector: non-government organizations
+ ref: apt17-report
+ # No goals were explicitly named in our source.
+ references:
+ - label: apt17-report
+ URL: https://web.archive.org/web/20240119213200/https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf
+
+ - name: APT18
+ origin: China
+ targets:
+ - where: US
+ ref: bugcrowd-apt18
+ sectors:
+ # Besides the ones below, our source also mentions "technology" and "high
+ # technology" which are to broad/ambigious for us to use here.
+ - sector: construction/manufacturing
+ ref: bugcrowd-apt18
+ - sector: government
+ ref: bugcrowd-apt18
+ - sector: medical # "healthcare" in our source
+ ref: bugcrowd-apt18
+ - sector: defense
+ ref: bugcrowd-apt18
+ - sector: telecommunications/satellites # only "telecommunications" in our
+ # source
+ ref: bugcrowd-apt18
+ - sector: non-government organizations # "human rights groups" and
+ # "non-profit" in our source
+ ref: bugcrowd-apt18
+ - sector: engineering services # "engineering" in our source
+ ref: bugcrowd-apt18
+ - sector: energy
+ ref: bugcrowd-apt18
+ - sector: education
+ ref: bugcrowd-apt18
+ - sector: aerospace
+ ref: bugcrowd-apt18
+ - sector: transportation
+ ref: bugcrowd-apt18
+ - sector: biotechnology
+ ref: bugcrowd-apt18
+ goals:
+ - goal: espionage
+ ref: bugcrowd-apt18
+ references:
+ - label: bugcrowd-apt18
+ URL: https://www.bugcrowd.com/glossary/apt18/
+
+ - name: APT19
+ origin: China
+ targets:
+ - where: US # Forbes is an American magazine.
+ ref: darkreading-codoso-team
+ - where: Hong Kong # Forbes is also owned b a Hong Kong-based group.
+ ref: darkreading-codoso-team
+ sectors:
+ - sector: legal services # "legal" in our source
+ ref: fireeye-apt-groups
+ - sector: finance # "investment" in our source
+ ref: [fireeye-apt-groups, darkreading-codoso-team]
+ - sector: defense
+ ref: darkreading-codoso-team
+ - sector: dissident groups
+ ref: darkreading-codoso-team
+ - sector: medical # "pharmaceutical" in our source
+ ref: darkreading-codoso-team
+ - sector: energy
+ ref: darkreading-codoso-team
+ goals:
+ - goal: espionage
+ ref: darkreading-codoso-team
+ references:
+ - label: darkreading-codoso-team
+ URL: https://www.darkreading.com/cyberattacks-data-breaches/chinese-hacking-group-codoso-team-uses-forbes-com-as-watering-hole
+
+ - name: APT28
+ origin: Russia
+ targets:
+ - where: US
+ ref: mandiant-apt28
+ - where: Europe
+ ref: [fireeye-apt-groups, mandiant-apt28]
+ - where: NATO
+ ref: fireeye-apt-groups
+ - where: former Soviet Union # "Caucasus" and "eastern European countries"
+ # in `fireeye-apt-groups'
+ ref: [fireeye-apt-groups, mandiant-apt28]
+ - where: Georgia
+ ref: fireeye-apt-groups
+ sectors:
+ - sector: defense # "militaries", "security organizations" and "defense
+ # firms" in our source
+ ref: fireeye-apt-groups
+ - sector: government
+ ref: mandiant-apt28
+ - sector: dissident groups
+ ref: mandiant-apt28
+ - sector: religious groups
+ ref: mandiant-apt28
+ - sector: sport # the World Anti-Doping Agency
+ ref: mandiant-apt28
+ goals:
+ - goal: espionage
+ ref: mandiant-apt28
+ references:
+ - label: mandiant-apt28
+ URL: https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf
+
+ - name: APT29
+ origin: Russia
+ targets:
+ - where: US
+ ref: [eset-operation-ghost-dukes, cyber-case-study-solarwinds]
+ - where: Norway
+ ref: eset-operation-ghost-dukes
+ - where: Europe # 3 EU ministries and a Washington DC embassy
+ ref: eset-operation-ghost-dukes
+ sectors:
+ - sector: government
+ ref: eset-operation-ghost-dukes
+ - sector: drug dealers # a reuse of hacking tools…
+ ref: eset-operation-ghost-dukes
+ goals:
+ - goal: espionage
+ ref: [eset-operation-ghost-dukes, cyber-case-study-solarwinds]
+ references:
+ - label: eset-operation-ghost-dukes
+ URL: https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf
+ - label: cyber-case-study-solarwinds
+ URL: https://ollisakersarney.com/wp-content/uploads/2021/10/Cyber_Case_Study_-_SolarWinds_Supply_Chain_Cyberattack.pdf
+
+ - name: APT3
+ origin: China
+ targets:
+ - where: US
+ ref: chinas-cyber-capabilities
+ - where: Germany # Siemens AG is a German company
+ ref: chinas-cyber-capabilities
+ sectors:
+ - sector: information technology
+ ref: chinas-cyber-capabilities
+ - sector: aerospace
+ ref: fireeye-apt-groups
+ - sector: defense
+ ref: fireeye-apt-groups
+ - sector: construction/manufacturing # "construction and engineering" in
+ # our source
+ ref: fireeye-apt-groups
+ - sector: telecommunications/satellites
+ ref: [fireeye-apt-groups, chinas-cyber-capabilities]
+ goals:
+ - goal: espionage
+ ref: chinas-cyber-capabilities
+ references:
+ - label: chinas-cyber-capabilities
+ URL: https://www.uscc.gov/sites/default/files/2022-11/Chapter_3_Section_2--Chinas_Cyber_Capabilities.pdf
+
+ - name: APT30
+ origin: China
+ targets:
+ - where: East Asia # Association of Southeast Asian Nations in our source
+ ref: fireeye-apt-groups
+ sectors:
+ - sector: government
+ ref: fireeye-apt30
+ - sector: media
+ ref: fireeye-apt30
+ goals:
+ - goal: espionage
+ ref: fireeye-apt30
+ references:
+ - label: fireeye-apt30
+ URL: https://scadahacker.com/library/Documents/Cyber_Events/Fireeye%20-%20APT30.pdf
+
+ - name: APT33
+ origin: Iran
+ sectors:
+ - sector: aerospace # "aviation" in `hivepro-apt33'
+ ref: [fireeye-apt-groups, hivepro-apt33]
+ - sector: energy
+ ref: [fireeye-apt-groups, hivepro-apt33]
+ - sector: construction/manufacturing # only "construction" in our source
+ ref: hivepro-apt33
+ - sector: defense
+ ref: hivepro-apt33
+ - sector: education
+ ref: hivepro-apt33
+ - sector: finance
+ ref: hivepro-apt33
+ - sector: medical # "healthcare" and "pharmaceutical" in our source
+ ref: hivepro-apt33
+ - sector: government
+ ref: hivepro-apt33
+ - sector: telecommunications/satellites
+ ref: hivepro-apt33
+ goals:
+ - goal: espionage
+ ref: hivepro-apt33
+ references:
+ - label: hivepro-apt33
+ URL: https://www.hivepro.com/wp-content/uploads/2023/09/APT-33-Uses-Password-Spray-Campaigns-to-Infiltrate-Organizations_TA2023375.pdf
+
+ - name: APT39
+ origin: Iran
+ targets:
+ - where: US
+ ref: fireeye-apt39
+ - where: Middle East
+ ref: fireeye-apt39
+ sectors:
+ - sector: telecommunications/satellites # only "telecommunications" in our
+ # source
+ ref: fireeye-apt39
+ - sector: travel
+ ref: fireeye-apt39
+ - sector: government
+ ref: fireeye-apt39
+ goals:
+ - goal: espionage
+ ref: fireeye-apt39
+ references:
+ - label: fireeye-apt39
+ URL: https://attack.mitre.org/docs/training-cti/FireEye%20APT39%20-%20original%20report.pdf
+
+ - name: APT41
+ origin: China
+ targets:
+ - where: East Asia
+ ref: rt-apt41-dual-operation
+ - where: US
+ ref: rt-apt41-dual-operation
+ - where: India
+ ref: rt-apt41-dual-operation
+ - where: Europe
+ ref: rt-apt41-dual-operation
+ - where: South Africa
+ ref: rt-apt41-dual-operation
+ sectors:
+ - sector: medical
+ ref: rt-apt41-dual-operation
+ - sector: telecommunications/satellites # only "telecommunications" in our
+ # source
+ ref: rt-apt41-dual-operation
+ - sector: education
+ ref: rt-apt41-dual-operation
+ - sector: travel
+ ref: rt-apt41-dual-operation
+ - sector: media
+ ref: rt-apt41-dual-operation
+ - sector: video games
+ ref: rt-apt41-dual-operation
+ - sector: information technology
+ ref: rt-apt41-dual-operation
+ - sector: retail
+ ref: rt-apt41-dual-operation
+ - sector: virtual currencies
+ ref: rt-apt41-dual-operation
+ goals:
+ - goal: rt-apt41-dual-operation
+ ref: expionage
+ - goal: rt-apt41-dual-operation
+ ref: financial theft
+ references:
+ - label: rt-apt41-dual-operation
+ URL: https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf
+
+ # Going alphabetically, now we'd have APT5. It's been omitted because neither
+ # the NSA'a Threat Hunting Guidance[1] nor the description from
+ # ^[fireeye-apt-groups] actually state its origin. Some sources call it a
+ # Chinese group but those can be considered less reliable than these 2.
+
+ - name: Aquatic Panda
+ origin: China
+ sectors:
+ - sector: education
+ ref: overwatch-exposes-aquatic-panda
+ - sector: telecommunications/satellites # only "telecommunications" in our
+ # source
+ ref: overwatch-exposes-aquatic-panda
+ - sector: government
+ ref: overwatch-exposes-aquatic-panda
+ goals:
+ - goal: espionage
+ ref: overwatch-exposes-aquatic-panda
+ references:
+ - label: overwatch-exposes-aquatic-panda
+ URL: https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
+
+ - name: Axiom
+ origin: China
+ targets:
+ - where: Europe
+ ref: novetta-executive-summary
+ - where: East Asia
+ ref: novetta-executive-summary
+ - where: US
+ ref: novetta-executive-summary
+ sectors:
+ - sector: media # "journalists" in our source
+ ref: novetta-executive-summary
+ - sector: information technology # "software companies" in our source
+ ref: novetta-executive-summary
+ - sector: education
+ ref: novetta-executive-summary
+ - sector: government
+ ref: novetta-executive-summary
+ - sector: telecommunications
+ ref: novetta-executive-summary
+ - sector: non-government organizations
+ ref: novetta-executive-summary
+ goals:
+ - goal: espionage
+ ref: novetta-executive-summary
+ references:
+ - label: novetta-executive-summary
+ URL: https://web.archive.org/web/20230211014413/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf
+
+ - name: BackdoorDiplomacy
+ origin: China
+ targets:
+ - where: Middle East
+ ref: bitdefender-backdoordiplomacy
+ - where: Europe
+ ref: hivepro-backdoordiplomacy
+ - where: South Africa
+ ref: hivepro-backdoordiplomacy
+ - where: Namibia
+ ref: hivepro-backdoordiplomacy
+ - where: South Asia
+ ref: hivepro-backdoordiplomacy
+ sectors:
+ - sector: government
+ ref: hivepro-backdoordiplomacy
+ - sector: telecommunications/satellites # only "telecommunications" in our
+ # source
+ ref: hivepro-backdoordiplomacy
+ goals:
+ - goal: espionage
+ ref: bitdefender-backdoordiplomacy
+ references:
+ - label: bitdefender-backdoordiplomacy
+ URL: https://www.bitdefender.com/files/News/CaseStudies/study/426/Bitdefender-PR-Whitepaper-BackdoorDiplomacy-creat6507-en-EN.pdf
+ - label: hivepro-backdoordiplomacy
+ URL: https://www.hivepro.com/wp-content/uploads/2022/12/BackdoorDiplomacy-targets-the-telecom-industry-in-the-Middle-East_TA2022285.pdf
+
+ - name: BlackTech
+ origin: China
+ targets:
+ - where: East Asia
+ ref: nnt-blacktech
+ - where: US
+ ref: nnt-blacktech
+
+ goals:
+ - goal: espionage
+ ref: nnt-blacktech
+ references:
+ - label: csa-blacktech
+ URL: https://media.defense.gov/2023/Sep/27/2003309107/-1/-1/0/CSA_BLACKTECH_HIDE_IN_ROUTERS_TLP-CLEAR.PDF
+ - label: nnt-blacktech
+ URL: https://jp.security.ntt/resources/EN-BlackTech_2021.pdf
+
+ - name: BRONZE BUTLER
+ origin: China
+ targets:
+ - where: Japan
+ ref: butler-targets-japanese
+ sectors:
+ - sector: government
+ ref: hivepro-butler
+ - sector: defense
+ ref: hivepro-butler
+ goals:
+ - goal: espionage
+ ref: butler-targets-japanese
+ references:
+ - label: butler-targets-japanese
+ URL: https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
+ - label: hivepro-butler
+ URL: https://www.hivepro.com/wp-content/uploads/2023/03/TA2023135.pdf
+
+ - name: Chimera
+ origin: China
+ targets:
+ - where: Taiwan
+ ref: cycraft-chimera
+ sectors:
+ - sector: electronics
+ ref: cycraft-chimera
+ goals:
+ - goal: espionage
+ ref: cycraft-chimera
+ references:
+ - label: cycraft-chimera
+ URL: https://uploads-ssl.webflow.com/6667e1c7aa0aa53cf61a022c/66bc65e430aa86747891a088_%5BTLP-White%5D20200415%20Chimera_V4.2.pdf
+
+ - name: Cinnamon Tempest
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Cleaver
+ origin: Iran
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: CopyKittens
+ origin: Iran
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: CURIUM
+ origin: Iran
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: CyberAv3ngers
+ origin: Iran
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Daggerfly
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Deep Panda
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Dragonfly
+ origin: Russia
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: DragonOK
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Earth Lusca
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Elderwood
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Ember Bear
+ origin: Russia
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Ferocious Kittens
+ origin: Iran
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+
+ - name: Fox Kitten
+ origin: Iran
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Gallium
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Gamaredon Group
+ origin: Russia
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: HAFNIUM
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: IndigoZebra
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Indrik Spider
+ origin: Russia
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Ke3chang
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Lazarus Group
+ origin: North Korea
+ targets:
+ - where: South Korea
+ ref: trendmicro-lazarus
+ - where: US
+ ref: trendmicro-lazarus
+ - where: Vietnam
+ ref: trendmicro-lazarus
+ sectors:
+ - sector: government
+ ref: trendmicro-lazarus
+ - sector: finance
+ ref: trendmicro-lazarus
+ - sector: media
+ ref: trendmicro-lazarus
+ - sector: defense
+ ref: trendmicro-lazarus
+ goals:
+ - goal: espionage
+ ref: trendmicro-lazarus
+ - goal: disruption
+ ref: trendmicro-lazarus
+ - goal: extortion
+ ref: trendmicro-lazarus
+ - goal: financial theft
+ ref: trendmicro-lazarus
+ references:
+ - label: trendmicro-lazarus
+ URL: https://www.trendmicro.com/vinfo/nl/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations
+
+ - name: Leafminer
+ origin: Iran
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Leviathan
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Lotus Blossom
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Magic Hound
+ origin: Iran
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: menuPass
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Moafee
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Mofang
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Moonstone Sleet
+ origin: North Korea
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Moses Staff
+ origin: Iran
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: MuddyWater
+ origin: Iran
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Mustang Panda
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Naikon
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Nomadic Octopus
+ origin: Russia
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: OilRig
+ origin: Iran
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: PittyTiger
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Putter Panda
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Saint Bear
+ origin: Russia
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Sandworm Team
+ origin: Russia
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Silent Librarian
+ origin: Iran
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Star Blizzard
+ origin: Russia
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Suckfly
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Threat Group-3390
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Tonto Team
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Tropic Trooper
+ origin: China # mitre.org calls it unaffiliated but at least one of the
+ # sources calls it "China-backed" and its set of targets is
+ # consistent with that of other Chinese APTs.
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Turla
+ origin: Russia
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: UNC788
+ origin: Iran
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Volt Typhoon
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Windshift
+ origin: Iran
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ - name: Winnti Group
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+ # Going alphabetically, now we'd have Winter Vivern. It's been omitted
+ # because there is no clue as to whether it is actually a Russian group or a
+ # Belorussian one.
+
+ - name: ZIRCONIUM
+ origin: China
+ # targets:
+ # - where:
+ # ref:
+ # - where:
+ # ref:
+ # sectors:
+ # - sector:
+ # ref:
+ # - sector:
+ # ref:
+ # goals:
+ # - goal:
+ # ref:
+ # references:
+ # - label:
+ # URL:
+
+# Below we keep references that are used in profiles of multiple groups.
+references:
+ label: fireeye-apt-groups
+ URL: https://web.archive.org/web/20180806122230/https://www.fireeye.com/current-threats/apt-groups.html#apt19