{
	"id": "0595be23-fe9e-430b-a0bb-b5c8b87db648",
	"created_at": "2026-04-06T00:15:48.65908Z",
	"updated_at": "2026-04-10T13:12:46.612094Z",
	"deleted_at": null,
	"sha1_hash": "a3635f5887509e02dc74836676e5d3b91fecb761",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 32542,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:28:34 UTC\r\nDescriptionBlackEnergy, its first version shortened as BE1, started as a crimeware being sold in the Russian cyber\r\nunderground as early as 2007. Initially, it was designed as a toolkit for creating botnets for conducting DDoS\r\nattacks. It supported a variety of flooding commands including protocols like ICMP, TCP SYN, UDP, HTTP and\r\nDNS. Among the high profile targets of cyber attacks utilising BE1 were a Norwegian bank and government\r\nwebsites in Georgia three weeks before Russo-Georgian War.\r\nVersion 2 of BlackEnergy, BE2, came in 2008 with a complete code rewrite that introduced a protective layer, a\r\nkernel-mode rootkit and a modular architecture. Plugins included mostly DDoS attacks, a spam plugin and two\r\nbanking authentication plugins to steal from Russian nad Ukrainian banks. The banking plugin was paired with a\r\nmodule designed to destroy the filesystem. Moreover, BE2 was able to\r\n- download and execute a remote file;\r\n- execute a local file on the infected computer;\r\n- update the bot and its plugins;\r\nThe Industrial Control Systems Cyber Emergency Response Team issued an alert warning that BE2 was\r\nleveraging the human-machine interfaces of industrial control systems like GE CIMPLICITY,\r\nAdvantech/Broadwin WebAccess, and Siemens WinCC to gain access to critical infrastructure networks.\r\nIn 2014, the BlackEnergy toolkit, BE3, switched to a lighter footprint with no kernel-mode driver component. Its\r\nplugins included:\r\n- operations with victim's filesystem\r\n- spreading with a parasitic infector\r\n- spying features like keylogging, screenshoots or a robust password stealer\r\n- Team viewer and a simple pseudo “remote desktop”\r\n- listing Windows accounts and scanning network\r\n- destroying the system\r\nTypical for distribution of BE3 was heavy use of spear-phishing emails containing Microsoft Word or Excel\r\ndocuments with a malicious VBA macro, Rich Text Format (RTF) documents embedding exploits or a PowerPoint\r\npresentation with zero-day exploit CVE-2014-4114.\r\nOn 23 December 2015, attackers behind the BlackEnergy malware successfully caused power outages for several\r\nhours in different regions of Ukraine. This cyber sabotage against three energy companies has been confirmed by\r\nthe Ukrainian government. The power grid compromise has become known as the first-of-its-kind cyber warfare\r\nattack affecting civilians.\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=71a41973-bea6-4f24-a218-afb42673d16d\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=71a41973-bea6-4f24-a218-afb42673d16d\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=71a41973-bea6-4f24-a218-afb42673d16d"
	],
	"report_names": [
		"listgroups.cgi?u=71a41973-bea6-4f24-a218-afb42673d16d"
	],
	"threat_actors": [],
	"ts_created_at": 1775434548,
	"ts_updated_at": 1775826766,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a3635f5887509e02dc74836676e5d3b91fecb761.pdf",
		"text": "https://archive.orkl.eu/a3635f5887509e02dc74836676e5d3b91fecb761.txt",
		"img": "https://archive.orkl.eu/a3635f5887509e02dc74836676e5d3b91fecb761.jpg"
	}
}