{ "id": "e76b74c8-aede-4bbe-9bed-75ed8aeed853", "created_at": "2026-04-06T00:11:09.476147Z", "updated_at": "2026-04-10T13:12:34.852853Z", "deleted_at": null, "sha1_hash": "9b2f115a5439843eea6df6a7c3788edc4a221b2a", "title": "Iran and Russia blamed for statesponsored espionage", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 104399, "plain_text": "Iran and Russia blamed for statesponsored espionage\r\nBy Steve Gold\r\nArchived: 2026-04-05 15:08:10 UTC\r\nThis site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X\r\nHome\r\nNews\r\nFeatures\r\nNews Bytes\r\nOpinion\r\nNewsletters\r\nProducts\r\nGroup Tests\r\nWhitepapers\r\nEvents\r\nWebcasts\r\nVirtual Events\r\nEvents Calendar\r\nLive Events\r\nSC Congress London\r\nSC Congress London: 20 March 2014. Free, live conference providing IT security professionals with\r\nexpert guidance to combat today’s cyber criminals.\r\nSC Awards Europe 2014!\r\nSimply the most coveted and prestigious awards for the information security industry. Our Awards honour\r\nprofessionals working to secure enterprises of all sizes and the vendors that deliver innovative security\r\ntechnologies.\r\nhttps://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/\r\nPage 1 of 5\n\nVirtual event: Tackling advanced persistent threats\r\nFebruary 18: Keynote speaker, Tony Dyhouse, cyber security director at ICT Knowledge Transfer\r\nNetwork, will discuss options to prevent your company from becoming a victim to an advanced, persistent\r\nthreat (APT).\r\nSC Awards\r\nIn Print\r\nJanuary 22, 2014\r\nIran and Russia blamed for state-sponsored espionage\r\nSecurity analyst says that a cyber warfare arms agreement is inevitable\r\nIran and Russia blamed for state-sponsored espionage\r\nA U.S. research group has identified no less than five state-sponsored espionage groups, including actors from\r\nChina, Iran and Russia.\r\nAccording to CrowdStrike's annual analysis of security threats, these espionage groups include:\r\nDeadeye Jackal: commonly known as the Syrian Electronic Army (SEA)\r\nEmissary Panda: a China-based actor that targets foreign embassies to collect data on government, defence, and\r\ntechnology sectors\r\nEnergetic Bear: a Russian group that collects intelligence on the energy industry\r\nMagic Kitten: an established group of cyber attackers based in Iran, who carried on several campaigns in 2013,\r\nincluding a series of attacks targeting political dissidents and those supporting Iranian political opposition\r\nNumbered Panda: a group of China-based attackers, who conducted a number of spear phishing attacks in 2013\r\nhttps://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/\r\nPage 2 of 5\n\nDmitri Alperovitch, CrowdStrike's CTO, says that the report seeks to explain the motivation and intent behind\r\ncyber warfare attacks originating from China, Iran, Russia and Syria, and focuses on what's most important –\r\nnamely the adversary - rather than just the exploits they create.\r\nThis is, he explained, a major step in fighting cyber security threats on a new battleground - identifying and\r\ndefending against human adversaries, rather than simply trying to block malicious code.\r\nThe research firm's report says that Strategic Web Compromise (SWC) attacks have become a favourite attack\r\nvector of targeted attack groups originating from China and Russia, while the Numbered Panda group from China\r\nhas been carrying out G20-themed spear phishing.\r\nThe Iran-based actor known as Magic Kitten, meanwhile, was spotted targeting pro-democratic activists as a\r\nprecursor to the May 2013 Iranian elections, whilst the Russian Energetic Bear group was very active against\r\nWestern energy sector targets.\r\nEmissary Panda, which CrowdStrike defines as a Chinese nexus intrusion group, has been targeting foreign\r\nembassies to deliver malware in a SWC campaign.\r\nThe report highlights the Russians as being involved in the same type of state-sponsored attacks identified by\r\nMandiant in its 2013 report on Chinese state-sponsored attack vectors.\r\n\"A recent investigation into the activity of a Russian-speaking adversary identified an actor whose services may\r\nhave been acquired for specific operations on behalf of a nation-state customer,” reads the analysis.\r\n“This adversary has been involved in targeted activity for nearly a decade, but malware analysis showed\r\nsignificant similarities to known cybercrime activity utilising Sheldor and ZeuS malware.”\r\n\"The combination of criminal and targeted activity suggests an adversary that conducts malicious activity on its\r\nown accord, possibly as part of a continuing criminal enterprise, and also at the direction of a government entity,\"\r\nit adds.\r\nThe report adds that the motivations of private entities that conduct operations in support of a nation-state may\r\nvary, but in certain circumstances, \"it may be that a government will turn a blind eye to criminal activity if an\r\nactor will use its skills to further the state's interests.\"\r\nIn other attacks, CrowdStrike says that it may well be that the private entity is a company that sells its expertise\r\nand resources to its government, or to the governments of other countries.\r\n\"Another motivation could be more nationalistic - possibly like the case of Deadeye Jackal, where a private group\r\nlends its services to the state out of a feeling of patriotism,\" the report concludes.\r\nCommenting on the analysis of the state-sponsored attacks, leading analyst Sarb Sembhi, a Director of Consulting\r\nwith Incoming Thought, told SCMagazineUK.com that there are some assumptions that have to be made about\r\nstate-level attacks, and one of these is that the attacks are very real and have been taking place for many years.\r\n\"If you look at the G20 nations, my observations suggest that if any of these countries are not involved in cyber\r\nwarfare, then I would be very surprised,\" he said, adding that, whilst we have yet to reach the stage where a single\r\nhttps://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/\r\nPage 3 of 5\n\npiece of malware has same damage potential as a nuclear bomb, it is only a matter of time before that\r\nbreakthrough is made.\r\nAt that point, says Sembhi - who is a leading light at ISACA, the not-for-profit IT security association - there will\r\nhave to be a multi-country agreement on the control of cyber warfare, just as there has been with nuclear weapons.\r\n\"Nation states will have to agree on a set of rules in which they work out what can and cannot be done with state-sponsored malware and its like,\" he said.\r\nRelated Articles\r\nPresident Obama's NSA reforms to relax spying on allies\r\nThink like an attacker:\r\nSecond Microsoft hack by Syrian Electronic Army\r\nNSA surveillance reportedly hits offline PCs\r\nCareless staff beats theft and malware as biggest CISO fear\r\nNext Article in News\r\nMore in News\r\nGCHQ accused of monitoring Facebook Likes and YouTube ...\r\nIs GCHQ sifting through everyone's UK Internet usage metadata?\r\nJava drives new cross-platform DDoS bot malware\r\n\"This is more proof that the Apple Mac is nowhere near as resilient to attacks as people think it is\" - Nigel Stanley,\r\nIncoming Thought analyst\r\nhttps://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/\r\nPage 4 of 5\n\nFacebook's Android app wants access to your text ...\r\nFacebook's updated Android application is under fire with the latest iteration requiring user permission to read\r\nSMS messages.\r\nSource: https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/a\r\nrticle/330401/\r\nhttps://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" ], "report_names": [ "330401" ], "threat_actors": [ { "id": "e575ba5a-702c-4a64-9bda-c4b1061210e5", "created_at": "2022-10-25T16:07:23.245788Z", "updated_at": "2026-04-10T02:00:04.763889Z", "deleted_at": null, "main_name": "Magic Kitten", "aliases": [], "source_name": "ETDA:Magic Kitten", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4", "created_at": "2022-10-25T16:07:23.667223Z", "updated_at": "2026-04-10T02:00:04.705778Z", "deleted_at": null, "main_name": "GCHQ", "aliases": [ "Government Communications Headquarters", "Operation Socialist" ], "source_name": "ETDA:GCHQ", "tools": [ "Prax", "Regin", "WarriorPride" ], "source_id": "ETDA", "reports": null }, { "id": "2f498e6b-3f0e-4f26-8cc7-52121e675643", "created_at": "2023-01-06T13:46:38.447274Z", "updated_at": "2026-04-10T02:00:02.978901Z", "deleted_at": null, "main_name": "Deadeye Jackal", "aliases": [ "SyrianElectronicArmy" ], "source_name": "MISPGALAXY:Deadeye Jackal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efeeab6a-219e-4a45-9b2f-9f77c647ffd2", "created_at": "2023-01-06T13:46:38.370366Z", "updated_at": "2026-04-10T02:00:02.946455Z", "deleted_at": null, "main_name": "Magic Kitten", "aliases": [ "Group 42" ], "source_name": "MISPGALAXY:Magic Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "76fc6d92-0710-4640-bfa7-3000fe3940a5", "created_at": "2022-10-25T16:07:24.251595Z", "updated_at": "2026-04-10T02:00:04.911951Z", "deleted_at": null, "main_name": "Syrian Electronic Army (SEA)", "aliases": [ "ATK 196", "Deadeye Jackal", "Syria Malware Team", "Syrian Electronic Army", "TAG-CT2" ], "source_name": "ETDA:Syrian Electronic Army (SEA)", "tools": [ "AndoServer", "CypherRat", "SLRat", "SandroRAT", "SilverHawk", "SpyNote", "SpyNote RAT" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c5f79f58-db78-4cd7-88cf-c029a2199360", "created_at": "2022-10-25T16:07:23.325227Z", "updated_at": "2026-04-10T02:00:04.542909Z", "deleted_at": null, "main_name": "APT 12", "aliases": [ "APT 12", "BeeBus", "Bronze Globe", "CTG-8223", "Calc Team", "Crimson Iron", "DNSCalc", "DynCALC", "G0005", "Group 22", "Hexagon Typhoon", "Numbered Panda" ], "source_name": "ETDA:APT 12", "tools": [ "AUMLIB", "ETUMBOT", "Exploz", "Graftor", "HIGHTIDE", "IHEATE", "IXESHE", "RIPTIDE", "RapidStealer", "Specfix", "THREEBYTE", "bbsinfo", "mswab", "yayih" ], "source_id": "ETDA", "reports": null }, { "id": "d18fe42c-8407-4f96-aee0-a04e6dce219a", "created_at": "2023-01-06T13:46:38.275292Z", "updated_at": "2026-04-10T02:00:02.907303Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "Group 22", "Calc Team", "DNSCalc", "IXESHE", "Hexagon Typhoon", "BeeBus", "DynCalc", "Crimson Iron", "BRONZE GLOBE", "NUMBERED PANDA", "TG-2754" ], "source_name": "MISPGALAXY:APT12", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a660ea2-1118-404a-9f8f-f0d6a1e9f184", "created_at": "2022-10-25T15:50:23.685924Z", "updated_at": "2026-04-10T02:00:05.364493Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "APT12", "IXESHE", "DynCalc", "Numbered Panda", "DNSCALC" ], "source_name": "MITRE:APT12", "tools": [ "Ixeshe", "RIPTIDE", "HTRAN" ], "source_id": "MITRE", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "dc0eb4da-1f8c-4f2a-9530-62b0efbb1c35", "created_at": "2025-08-07T02:03:24.608888Z", "updated_at": "2026-04-10T02:00:03.749632Z", "deleted_at": null, "main_name": "BRONZE GLOBE", "aliases": [ "APT12 ", "CTG-8223 ", "DyncCalc ", "Numbered Panda ", "PortCalc" ], "source_name": "Secureworks:BRONZE GLOBE", "tools": [ "Badpuck", "BeepService", "Etumbot", "Gh0st RAT", "Ixeshe", "Mswab", "RAdmin", "Seatran", "SvcInstaller", "Ziyang" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434269, "ts_updated_at": 1775826754, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9b2f115a5439843eea6df6a7c3788edc4a221b2a.pdf", "text": "https://archive.orkl.eu/9b2f115a5439843eea6df6a7c3788edc4a221b2a.txt", "img": "https://archive.orkl.eu/9b2f115a5439843eea6df6a7c3788edc4a221b2a.jpg" } }