{ "id": "14c64018-e481-4bd3-90b6-f5656c11e05c", "created_at": "2026-04-06T00:10:35.452995Z", "updated_at": "2026-04-10T03:37:32.471762Z", "deleted_at": null, "sha1_hash": "6efc210e32fa689785bdec521b6533818038eb0d", "title": "Space Invaders: Cyber Threats That Are Out Of This World", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2286356, "plain_text": "Space Invaders: Cyber Threats That Are Out Of This World\r\nBy BushidoToken\r\nPublished: 2022-07-31 · Archived: 2026-04-05 13:45:47 UTC\r\nBackground\r\nDestructive cyberattacks and digital espionage campaigns targeting international space programs is a growing and\r\nconcerning trend. Some of the most significant cyberattacks over the last five years have been turning points in the\r\nstate of cybersecurity of international space programs and organizations with satellite infrastructure in space. \r\nSpace exploration and the significance of having satellite infrastructure in space is a key driver of scientific\r\nresearch and technological innovation. However, despite receiving billions of dollars in funding, the digital\r\ninfrastructure and information systems supporting space programs have been impacted by significant cyberattacks\r\nfrom nation-state threat actors and financially motivated cybercriminal groups. This blog aims to use open source\r\nintelligence (OSINT) research to compile and highlight significant cybersecurity incidents impacting the space\r\nindustry that defenders should consider when securing these types of environments.\r\nThere have been a number of positive and landmark headlines recently, such as the successful launches by\r\nSpaceX, BlueOrigin, and Boeing, SpaceX providing critical communications infrastructure to Ukraine via\r\nStarlink, and the creation of the Space Force and Space ISAC. Space is also rarely able to escape geopolitical\r\ntensions and, as such, the Russian mission announced it was pulling out of the International Space Station (ISS),\r\nwhich has had its share of cybersecurity issues in the past.\r\nhttps://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html\r\nPage 1 of 8\n\nIn 2008, prior to when the ISS switched to Linux from Windows XP, Russian cosmonauts reportedly introduced\r\nan infected USB device to the computers aboard the space station. The Windows XP-based laptops used by the\r\nastronauts on the ISS were infected with a virus called W32.Gammima.AG, a malicious password-swiping\r\ncomputer virus. Not many technical details about the event and the impact it had on the station's computers were\r\nreported publicly. National Aeronautics and Space Administration (NASA) officials at the time described the virus\r\nas a \"nuisance.\" Adding that it is \"not a frequent occurrence, but this isn't the first time.\"\r\nDigital Espionage in Space: Satellites and NASA\r\nSatellite Turla\r\nSatellite communications (SATCOM) can provide both TV broadcasting and access to the internet to remote\r\nlocations. This type of satellite-based internet access, however, is known as downstream-only connection. In\r\nSeptember 2015, Kaspersky Labs disclosed that a Russia-based advanced persistent threat (APT) group called\r\nTurla (aka Snake or VenomousBear) exploited weaknesses in these downstream-only satellite internet\r\nconnections. Turla would monitor downstream connections, identify active IP addresses, select one to appear as\r\nthe originating source IP during intrusions, and hijack it by hiding malicious code within packets sent to and from\r\nthe satellite. Systems compromised by Turla would also then exfiltrate data to IP addresses of regular satellite-based internet users. Turla used this special technique to target systems of governments, embassies, military\r\nentities, educational institutions, research organizations, and pharmaceutical firms across the Middle East and\r\nAfrica. Turla's operations have been tied to the Russian Federal Security Service (FSB) by Estionian intelligence\r\nservices. In February 2022, German investigative reporters disclosed the identities of two Turla developers and\r\ntheir ties to the Russian FSB.\r\nFigure 1: Satellite Turla hijacking attack explanation (Source: Kaspersky)\r\nNASA \u0026 Chinese Technology Theft\r\nhttps://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html\r\nPage 2 of 8\n\nIn December 2018, the US Department of Justice charged two Chinese nationals part of APT10 (aka menuPass,\r\nStonePanda or POTASSIUM) that conducted a 12-year, Chinese Ministry of State Security (MSS) global hacking\r\nspree that stole data from dozens of US companies and government agencies in a sophisticated technology theft\r\ncampaign. Two of the victims who had hundreds of gigabytes of sensitive data and information stolen included the\r\nNASA Goddard Space Center and the NASA Jet Propulsion Laboratory. The APT10 operators were able to use\r\nspear-phishing attachments) to deploy the PoisonIvy malware onto the victim's computers. The emails used\r\nmalicious document attachments and sender addresses of legitimate but compromised accounts. Once installed,\r\nPoisonIvy records user keystrokes to steal credentials and could collect relevant files and other information from\r\ninfected systems. Collected files were then added to encrypted archives and exfiltrated to remote servers owned by\r\nAPT10.\r\nFigure 2: APT10 members on Cyber Most Wanted list (Source: FBI)\r\nNASA \u0026 The SolarWinds Supply Chain Attack\r\nNASA was also more recently a victim of sophisticated Russian cyber-espionage campaigns. In December 2020,\r\nthe SolarWinds supply chain attack linked to the Nobelium APT group (aka APT29, CozyBear, or DarkHalo) was\r\ndisclosed. It involved a malicious software update for SolarWinds Orion platform that was downloaded by over\r\n18,000 SolarWinds customers. Nobelium had managed to compromise the SolarWinds software build\r\nenvironment and used a custom implant called SUNSPOT to load the SUNBURST backdoor into the Orion\r\nsoftware update. The intrusion reportedly began in September 2019 and had a first attempt in October 2019 when\r\ntest code was added and pushed to SolarWinds customers. To make it harder to detect, SUNBURST's code was\r\nsigned using stolen certificates from the Orion platform and it same naming conventions as Orion’s code so\r\nSolarWinds developers would mistake it for their own. Once installed, SUNBURST would sleep for 12-14 days\r\nbefore it contacted the group’s C\u0026C domain via DNS. SUNBURST's traffic also used the Orion Improvement\r\nProgram (OIP) protocol to blend in with legitimate SolarWinds activity. Nobelium would then use SUNBURST to\r\ndeploy additional malware, such as TEARDROP, RAINDROP, and several others. According to the US National\r\nSecurity Agency (NSA) statement, around 100 nongovernment entities received follow-up activity, which\r\nhttps://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html\r\nPage 3 of 8\n\nincluded several US federal government agencies and NASA. In January 2021, the US Office of the Director of\r\nNational Intelligence (ODNI) formally stated that the attack was orchestrated by the Russian Foreign Intelligence\r\nService (SVR).\r\nAnalysis: So What?\r\nAlthough space exploration and research involves a lot of collaboration between international space\r\nagencies, these intelligence agencies operate outside of and ignore these agreements.\r\nThese types of digital espionage campaigns are orchestrated by threat actors operating on behalf of nation-state intelligence agencies. To be able to utilize these techniques, it requires vast resources, technically\r\nskilled researchers, and disciplined operators.\r\nTurla, APT10, and Nobelium are the very definition of advanced persistent threats. These groups operate\r\nconstantly and stop and nothing to execute intelligence gathering campaigns and intellectual property\r\ntheft. \r\nThese types of campaigns are essentially the cyber version of traditional spying that will always happen\r\nbetween nation-state rivals. It is difficult to call these types of intrusions \"attacks\" because there were no\r\ndestructive components. However, the information collected in these cyber-espionage campaigns may\r\nsupport future destructive offensive operations.\r\nDestructive Cyberattacks affecting Space\r\n\".garminwasted\"\r\nCyberattacks degrading the performance of IT systems and networks are more likely to originate from\r\ncybercriminal threat groups than nation-state APTs. In late July 2020, Garmin, a major manufacturer of navigation\r\nequipment - used by NASA's Ingenuity Mars Helicopter - and smart devices was the victim of a WastedLocker\r\nransomware. Garmin's cloud services, including device syncing and geopositioning instruments used by pilots,\r\nwere disabled as a result. In its official statement, Garmin confirmed that it was the victim of the cyberattack that\r\ninterrupted online services and encrypted some internal systems. Garmin reported that there was no evidence\r\nanyone gained unauthorized access to user data during the incident. An anonymous Garmin employee familiar\r\nwith the incident told BleepingComputer that the ransom demand was $10 million. After a four-day global service\r\noutage, Garmin suddenly announced that they were starting to restore services after paying the ransom to the\r\ncybercriminals to receive a decryptor. Notably, WastedLocker has been attributed to EvilCorp via its similarities to\r\nDoppelPaymer and BitPaymer, other ransomware families developed by the eCrime threat group. In December\r\n2019, EvilCorp was placed on the US OFAC sanctions list for causing $100 million in financial damages.\r\nTherefore, paying the ransom to EvilCorp could lead to heft fines from the US government.\r\nhttps://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html\r\nPage 4 of 8\n\nFigure 3: Garmin outage notices and WastedLocker ransom note (Source: BleepingComputer)\r\nWorld's First SATCOM Attack\r\nOne of the most destructive cyberattacks in space was against Europe's SATCOM networks on the night of\r\nRussian invasion of Ukraine. The US and EU stated that on 24 February 2022, Russia launched cyberattacks\r\nagainst commercial satellite communications networks known as KA-SAT, belonging to Viasat. The cyberattack\r\nwas aimed to disrupt the Ukrainian command and control operations, and resulted in significant spillover impacts\r\ninto other European countries, including Germany, Greece, Poland, Italy, and Hungary. Broadband services took\r\nover one month to recover from the incident. According to Viasat, tens of thousands of SATCOM modems were\r\ndestroyed as a result and had to be replaced. The adversaries were reportedly able to gain access via exploiting a\r\n\"misconfigured VPN\" and moved laterally to the management segment of the KA-SAT network. From there, the\r\nattackers executed commands to flash the memory of the modems, rendering them unusable. Interestingly,\r\nresearchers from cybersecurity vendor SentinelOne uncovered a wiper malware called AcidRain designed for\r\nMIPS firmware used by the SATCOM modems that was potentially used in the KA-SAT attack. SentinelOne\r\nresearchers assess with medium confidence that AcidRain was developed by the same malware authors as\r\nVPNFilter, which was officially attributed to the Russian Main Intelligence Directorate (GRU), more\r\nspecifically GTsST Unit 74455, most well-known as the Sandworm Team.\r\nhttps://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html\r\nPage 5 of 8\n\nFigure 4: Side-by-side analysis of attacked KA-SAT modems (Source: reversemode)\r\nRussian Space Agencies Attacked By Hacktivists\r\nState-sponsored APT groups and organized cybercriminals are not the only perpetrators of destructive\r\ncyberattacks against the space industry. In March 2022, a pro-Ukraine hacktivist group known as Network\r\nBattalion 65 (aka NB65) shared via Twitter that it had launched an attack on Roscosmos, Russia's space agency.\r\nDmitry Rogozin, director general of Roscosmos, later Tweeted that NB65's claims were \"not true\" and called them\r\n\"scammers and petty swindlers.\" However, the screenshots shared by NB65 allegedly belong to Russian satellite\r\nimaging software and vehicle monitoring systems. The incident at Roscosmos was ultimately denied by officials\r\nand unconfirmed by NB65. Also in March, a Twitter account allegedly tied to the Anonymous collective shared\r\nthat another hacktivist group known as v0g3lSec defaced a website belonging to Russia’s Space Research Institute\r\n(IKI) and leaked files that allegedly belong to the Russian space agency Roscosmos. One of the stolen documents\r\ndiscusses the location of potential landing sites for lunar spacecraft on the Moon's South Pole. This matches with\r\nhttps://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html\r\nPage 6 of 8\n\nwhat Russian authorities have already announced their South Pole sites, which potentially increases the likelihood\r\nthat these documents were successfully stolen. \r\nFigure 5: NB65 and v0g3lSec attacked Russian Space Agencies (Source: Vice)\r\nAnalysis: So What?\r\nAlthough uncommon, purely destructive cyberattacks are often the most feared. The loss of data and access\r\nto systems can cause millions of dollars of damage to an organization and set back operations for months\r\nor years. The most destructive attacks often include data encrypting ransomware or data destroying wipers.\r\nRussia has been one of the main sources of destructive cyberattacks globally. Leading up to and during the\r\ninvasion of Ukraine, Russian APT groups have deployed several data wiping malware variants against\r\nUkrainian government entities and Ukrainian critical infrastructure organizations.\r\nOffensive cyber operations perpetrated by the Sandworm Team are some of the most dangerous in the\r\nworld. It is one of the few APT groups that has successfully launched multiple cyberattacks that had\r\ndestructive kinetic affects, mostly against Ukraine.\r\nCourses of Action\r\nCybersecurity experts have often warned that Russian offensive cyber operations treat Ukraine like a sandbox, in\r\nthat new attack types are often tested and proven in the region first. Therefore, it can be deemed vital for cyber\r\nthreat intelligence analysts to monitor the threat landscape in Ukraine to capture the tactics, techniques, and\r\nprocedures (TTPs) leveraged by Russian APTs before they are deployed elsewhere globally.\r\nThe adversaries targeting space organizations and satellite networks are some of the most advanced in the wild.\r\nThis includes highly well-resourced intelligence agencies operating on behalf of Russia and China, as well as\r\nagencies from hostile states such as Iran and North Korea.  It is therefore important to recruit and cultivate skilled\r\ncybersecurity practitioners to compete with the adversaries and direct investment into technologies to prevent\r\nsophisticated attacks.\r\nA lot of the focus has been on nation-state and cybercriminal threat groups, but more focus should be on\r\nhacktivists groups that can also cause significant reputational damage to any organization. Unlike nation-states\r\nthat usually try to covertly gain and maintain access or cybercriminals who look to monetise their access,\r\nhacktivists seek to embarrass an organization by defacing websites, shutting down websites by DDoS attacks, or\r\nhack-and-leak operations to spread unsavoury information publicly. State-backed threat actors have also adopted\r\nhttps://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html\r\nPage 7 of 8\n\nhacktivists tactics due to the ability to generate headlines with the aim of embarrassing their geopolitical\r\nopposition.\r\nThe threat model for the space industry is very different for many other verticals. The attack surface involves a lot\r\nof advanced technology, such as SATCOM networks, that modern vendors are not suited to protect and requires\r\ncustom solutions. One main example of this is that endpoint security for Internet-of-Things (IoT) devices is not\r\ncurrently anywhere near the level that modern workstations have available. This makes this an area that is\r\nwoefully underprepared for nation-state advanced persistent threat groups that are going undetected and waiting\r\nfor the time to strike.\r\nSource: https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html\r\nhttps://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html" ], "report_names": [ "space-invaders-cyber-threats-that-are.html" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f547e816-ea17-442e-915d-c5c76a30669b", "created_at": "2022-10-25T16:07:23.891717Z", "updated_at": "2026-04-10T02:00:04.780944Z", "deleted_at": null, "main_name": "NB65", "aliases": [], "source_name": "ETDA:NB65", "tools": [ "NB65" ], "source_id": "ETDA", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "8754f54b-7154-4996-b065-94f04f846022", "created_at": "2023-11-07T02:00:07.095161Z", "updated_at": "2026-04-10T02:00:03.405596Z", "deleted_at": null, "main_name": "NB65", "aliases": [ "Network Battalion 65" ], "source_name": "MISPGALAXY:NB65", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434235, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6efc210e32fa689785bdec521b6533818038eb0d.pdf", "text": "https://archive.orkl.eu/6efc210e32fa689785bdec521b6533818038eb0d.txt", "img": "https://archive.orkl.eu/6efc210e32fa689785bdec521b6533818038eb0d.jpg" } }