{
	"id": "66233597-df49-4bb1-a5fb-62e852f52606",
	"created_at": "2026-04-06T00:22:31.552818Z",
	"updated_at": "2026-04-10T03:29:45.380381Z",
	"deleted_at": null,
	"sha1_hash": "d3fc62488479f3a5992be414a32787a7d39a8260",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51166,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:10:46 UTC\r\n APT group: GCHQ\r\nNames\r\nGCHQ (real name)\r\nGovernment Communications Headquarters (real name)\r\nCountry UK\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 1919\r\nDescription\r\n(Wikipedia) GCHQ gains its intelligence by monitoring a wide variety of\r\ncommunications and other electronic signals. For this, a number of stations have\r\nbeen established in the UK and overseas. The listening stations are at Cheltenham\r\nitself, Bude, Scarborough, Ascension Island, and with the United States at Menwith\r\nHill. Ayios Nikolaos Station in Cyprus is run by the British Army for GCHQ.\r\nAs revealed by Edward Snowden in The Guardian, GCHQ spied on foreign\r\npoliticians visiting the 2009 G-20 London Summit by eavesdropping phonecalls and\r\nemails and monitoring their computers, and in some cases even ongoing after the\r\nsummit via keyloggers that had been installed during the summit.\r\nOther publicly exposed major APT activities from GCHQ involve the wholesale\r\nworldwide spying from programs such as, together with Equation Group,\r\nINCENSER, where various international Internet trunks were tapped.\r\nObserved\r\nSectors: Government, Telecommunications.\r\nCountries: Belgium, UK.\r\nTools used Regin.\r\nOperations performed\r\n2009\r\nGCHQ intercepted foreign politicians' communications at G20 summits\r\n\u003chttps://www.theguardian.com/uk/2013/jun/16/gchq-intercepted-communications-g20-summits\u003e\r\n2010 Operation Socialist\r\nBreach of the infrastructure of the Belgian telecommunications company\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9d92be76-3493-4c22-a22c-73e34bb2bb66\r\nPage 1 of 2\n\nBelgacom.\nInformation\nLast change to this card: 17 July 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9d92be76-3493-4c22-a22c-73e34bb2bb66\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9d92be76-3493-4c22-a22c-73e34bb2bb66\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9d92be76-3493-4c22-a22c-73e34bb2bb66"
	],
	"report_names": [
		"showcard.cgi?u=9d92be76-3493-4c22-a22c-73e34bb2bb66"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4",
			"created_at": "2022-10-25T16:07:23.667223Z",
			"updated_at": "2026-04-10T02:00:04.705778Z",
			"deleted_at": null,
			"main_name": "GCHQ",
			"aliases": [
				"Government Communications Headquarters",
				"Operation Socialist"
			],
			"source_name": "ETDA:GCHQ",
			"tools": [
				"Prax",
				"Regin",
				"WarriorPride"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "08623296-52be-4977-8622-50efda44e9cc",
			"created_at": "2023-01-06T13:46:38.549387Z",
			"updated_at": "2026-04-10T02:00:03.020003Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"Tilded Team",
				"EQGRP",
				"G0020"
			],
			"source_name": "MISPGALAXY:Equation Group",
			"tools": [
				"TripleFantasy",
				"GrayFish",
				"EquationLaser",
				"EquationDrug",
				"DoubleFantasy"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b",
			"created_at": "2024-05-01T02:03:08.144214Z",
			"updated_at": "2026-04-10T02:00:03.674763Z",
			"deleted_at": null,
			"main_name": "PLATINUM COLONY",
			"aliases": [
				"Equation Group "
			],
			"source_name": "Secureworks:PLATINUM COLONY",
			"tools": [
				"DoubleFantasy",
				"EquationDrug",
				"EquationLaser",
				"Fanny",
				"GrayFish",
				"TripleFantasy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e0fed6e6-a593-4041-80ef-694261825937",
			"created_at": "2022-10-25T16:07:23.593572Z",
			"updated_at": "2026-04-10T02:00:04.680752Z",
			"deleted_at": null,
			"main_name": "Equation Group",
			"aliases": [
				"APT-C-40",
				"G0020",
				"Platinum Colony",
				"Tilded Team"
			],
			"source_name": "ETDA:Equation Group",
			"tools": [
				"Bvp47",
				"DEMENTIAWHEEL",
				"DOUBLEFANTASY",
				"DanderSpritz",
				"DarkPulsar",
				"DoubleFantasy",
				"DoubleFeature",
				"DoublePulsar",
				"Duqu",
				"EQUATIONDRUG",
				"EQUATIONLASER",
				"EQUESTRE",
				"Flamer",
				"GRAYFISH",
				"GROK",
				"OddJob",
				"Plexor",
				"Prax",
				"Regin",
				"Skywiper",
				"TRIPLEFANTASY",
				"Tilded",
				"UNITEDRAKE",
				"WarriorPride",
				"sKyWIper"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434951,
	"ts_updated_at": 1775791785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d3fc62488479f3a5992be414a32787a7d39a8260.pdf",
		"text": "https://archive.orkl.eu/d3fc62488479f3a5992be414a32787a7d39a8260.txt",
		"img": "https://archive.orkl.eu/d3fc62488479f3a5992be414a32787a7d39a8260.jpg"
	}
}