{ "id": "334884fd-35ed-4419-b281-2841b096ac46", "created_at": "2026-04-06T00:12:02.575048Z", "updated_at": "2026-04-10T13:13:03.064152Z", "deleted_at": null, "sha1_hash": "fa3146c7d4e1f91891295e6a15cd5a6c68d7192d", "title": "Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 237118, "plain_text": "Russian State-Sponsored and Criminal Cyber Threats to Critical\r\nInfrastructure | CISA\r\nPublished: 2022-05-09 · Archived: 2026-04-05 12:43:27 UTC\r\nSummary\r\nActions critical infrastructure organizations should implement to immediately protect against Russian state-sponsored and criminal cyber threats:\r\n• Patch all systems. Prioritize patching known exploited vulnerabilities.\r\n• Enforce multifactor authentication.\r\n• Secure and monitor Remote Desktop Protocol and other risky services.\r\n• Provide end-user awareness and training.\r\nThe cybersecurity authorities of the United States[1][2][3], Australia[4 ], Canada[5 ], New Zealand[6 ], and\r\nthe United Kingdom[7 ][8 ] are releasing this joint Cybersecurity Advisory (CSA). The intent of this joint CSA\r\nis to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the\r\nregion to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic\r\ncosts imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners.\r\nEvolving intelligence indicates that the Russian government is exploring options for potential cyberattacks (see\r\nthe March 21, 2022, Statement by U.S. President Biden for more information). Recent Russian state-sponsored\r\ncyber operations have included distributed denial-of-service (DDoS) attacks , and older operations have\r\nincluded deployment of destructive malware against Ukrainian government and critical infrastructure\r\norganizations. \r\nAdditionally, some cybercrime groups have recently publicly pledged support for the Russian government. These\r\nRussian-aligned cybercrime groups have threatened to conduct cyber operations in retaliation for perceived cyber\r\noffensives against the Russian government or the Russian people. Some groups have also threatened to conduct\r\ncyber operations against countries and organizations providing materiel support to Ukraine. Other cybercrime\r\ngroups have recently conducted disruptive attacks against Ukrainian websites, likely in support of the Russian\r\nmilitary offensive.\r\nThis advisory updates joint CSA Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S.\r\nCritical Infrastructure, which provides an overview of Russian state-sponsored cyber operations and commonly\r\nobserved tactics, techniques, and procedures (TTPs). This CSA—coauthored by U.S., Australian, Canadian, New\r\nZealand, and UK cyber authorities with contributions from industry members of the Joint Cyber Defense\r\nCollaborative (JCDC)—provides an overview of Russian state-sponsored advanced persistent threat (APT)\r\ngroups, Russian-aligned cyber threat groups, and Russian-aligned cybercrime groups to help the cybersecurity\r\ncommunity protect against possible cyber threats.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-110a\r\nPage 1 of 18\n\nU.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities urge critical infrastructure network\r\ndefenders to prepare for and mitigate potential cyber threats—including destructive malware, ransomware, DDoS\r\nattacks, and cyber espionage—by hardening their cyber defenses and performing due diligence in identifying\r\nindicators of malicious activity. Refer to the Mitigations section of this advisory for recommended hardening\r\nactions.\r\nFor more information on Russian state-sponsored cyber activity, see CISA’s Russia Cyber Threat Overview and\r\nAdvisories webpage. For more information on the heightened cyber threat to critical infrastructure organizations,\r\nsee the following resources:\r\nCybersecurity and Infrastructure Security Agency (CISA) Shields Up and Shields Up Technical Guidance\r\nwebpages\r\nAustralian Cyber Security Centre’s (ACSC) Advisory Australian Organisations Should Urgently Adopt an\r\nEnhanced Cyber Security Posture.\r\nCanadian Centre for Cyber Security (CCCS) Cyber Threat Bulletin Cyber Centre urges Canadian critical\r\ninfrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat\r\nactivity\r\nNational Cyber Security Centre New Zealand (NZ NCSC) General Security Advisory Understanding and\r\npreparing for cyber threats relating to tensions between Russia and Ukraine\r\nUnited Kingdom’s National Cyber Security Centre (NCSC-UK) guidance on how to bolster cyber\r\ndefences in light of the Russian cyber threat\r\nClick here for a PDF version of this report.\r\nTechnical Details\r\nRussian State-Sponsored Cyber Operations\r\nRussian state-sponsored cyber actors have demonstrated capabilities to compromise IT networks; develop\r\nmechanisms to maintain long-term, persistent access to IT networks; exfiltrate sensitive data from IT and\r\noperational technology (OT) networks; and disrupt critical industrial control systems (ICS)/OT functions by\r\ndeploying destructive malware. \r\nHistorical operations have included deployment of destructive malware—including BlackEnergy and NotPetya—\r\nagainst Ukrainian government and critical infrastructure organizations. Recent Russian state-sponsored cyber\r\noperations have included DDoS attacks against Ukrainian organizations. Note: for more information on Russian\r\nstate-sponsored cyber activity, including known TTPs, see joint CSA Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure. \r\nCyber threat actors from the following Russian government and military organizations have conducted malicious\r\ncyber operations against IT and/or OT networks:\r\nThe Russian Federal Security Service (FSB), including FSB’s Center 16 and Center 18\r\nRussian Foreign Intelligence Service (SVR)\r\nRussian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center\r\n(GTsSS)\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-110a\r\nPage 2 of 18\n\nGRU’s Main Center for Special Technologies (GTsST)\r\nRussian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM)\r\nThe Russian Federal Security Service\r\nOverview: FSB, the KGB’s successor agency, has conducted malicious cyber operations targeting the Energy\r\nSector, including UK and U.S. energy companies, U.S. aviation organizations, U.S. government and military\r\npersonnel, private organizations, cybersecurity companies, and journalists. FSB has been known to task criminal\r\nhackers for espionage-focused cyber activity; these same hackers have separately been responsible for disruptive\r\nransomware and phishing campaigns.\r\nIndustry reporting identifies three intrusion sets associated with the FSB, but the U.S. and UK governments have\r\nonly formally attributed one of these sets—known as BERSERK BEAR—to FSB.\r\nBERSERK BEAR (also known as Crouching Yeti, Dragonfly, Energetic Bear, and Temp.Isotope) has,\r\naccording to industry reporting, historically targeted entities in Western Europe and North America\r\nincluding state, local, tribal, and territorial (SLTT) organizations, as well as Energy, Transportation\r\nSystems, and Defense Industrial Base (DIB) Sector organizations. This group has also targeted the Water\r\nand Wastewater Systems Sector and other critical infrastructure facilities. Common TTPs include scanning\r\nto exploit internet-facing infrastructure and network appliances, conducting brute force attacks against\r\npublic-facing web applications, and leveraging compromised infrastructure—often websites frequented or\r\nowned by their target—for Windows New Technology Local Area Network Manager (NTLM) credential\r\ntheft. Industry reporting assesses that this actor has a destructive mandate.\r\nThe U.S. and UK governments assess that this APT group is almost certainly FSB’s Center 16, or Military Unit\r\n71330, and that FSB’s Center 16 has conducted cyber operations against critical IT systems and infrastructure in\r\nEurope, the Americas, and Asia. \r\nResources: for more information on BERSERK BEAR, see the MITRE ATT\u0026CK® webpage on Dragonfly .\r\nHigh-Profile Activity: in 2017, FSB employees, including one employee in the FSB Center for Information\r\nSecurity (also known as Unit 64829 and Center 18), were indicted by the U.S. Department of Justice (DOJ) for\r\naccessing email accounts of U.S. government and military personnel, private organizations, and cybersecurity\r\ncompanies, as well as email accounts of journalists critical of the Russian government.[9] More recently, in 2021,\r\nFSB Center 16 officers were indicted by the U.S. DOJ for their involvement in a multi-stage campaign in which\r\nthey gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and\r\ncollected and exfiltrated enterprise and ICS-related data. One of the victims was a U.S. nuclear power plant.[10] \r\nResources: for more information on FSB, see: \r\nU.S. DOJ Press Release Four Russian Government Employees Charged in Two Historical Hacking\r\nCampaigns Targeting Critical Infrastructure Worldwide\r\nJoint CSA Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors\r\nTargeting the Energy Sector\r\nUK Press Release UK Exposes Russian Spy Agency Behind Cyber Incidents\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-110a\r\nPage 3 of 18\n\nRussian Foreign Intelligence Service\r\nOverview: SVR has operated an APT group since at least 2008 that has targeted multiple critical infrastructure\r\norganizations. SVR cyber threat actors have used a range of initial exploitation techniques that vary in\r\nsophistication coupled with stealthy intrusion tradecraft within compromised networks. SVR cyber actors’ novel\r\ntooling and techniques include:\r\nCustom, sophisticated multi-platform malware targeting Windows and Linux systems (e.g., GoldMax and\r\nTrailBlazer); and\r\nLateral movement via the “credential hopping” technique, which includes browser cookie theft to bypass\r\nmultifactor authentication (MFA) on privileged cloud accounts.[11 ]\r\nHigh-Profile Activity: the U.S. Government, the Government of Canada, and the UK Government assess that\r\nSVR cyber threat actors were responsible for the SolarWinds Orion supply chain compromise and the associated\r\ncampaign that affected U.S. government agencies, critical infrastructure entities, and private sector organizations.\r\n[12][13 ][14 ]\r\nAlso known as: APT29, COZY BEAR, CozyDuke, Dark Halo, The Dukes, NOBELIUM, and NobleBaron,\r\nStellarParticle, UNC2452, YTTRIUM [15 ]\r\nResources: for more information on SVR, see:\r\nJoint CSA Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for\r\nNetwork Defenders\r\nJoint Advisory Further TTPs associated with SVR cyber actors\r\nThe MITRE ATT\u0026CK webpage on APT29  \r\nFor more information on the SolarWinds Orion supply chain compromise, see:\r\nCISA’s Supply Chain Compromise webpage\r\nCISA’s webpage on Remediating Networks Affected by the SolarWinds and Active Directory/M365\r\nCompromise\r\nNCSC-UK Guidance Dealing with the SolarWinds Orion compromise\r\nGRU, 85th Main Special Service Center\r\nOverview: GTsSS, or Unit 26165, is an APT group that has operated since at least 2004 and primarily targets\r\ngovernment organizations, travel and hospitality entities, research institutions, and non-governmental\r\norganizations, in addition to other critical infrastructure organizations. \r\nAccording to industry reporting, GTsSS cyber actors frequently collect credentials to gain initial access to target\r\norganizations. GTsSS actors have collected victim credentials by sending spearphishing emails that appear to be\r\nlegitimate security alerts from the victim’s email provider and include hyperlinks leading to spoofed popular\r\nwebmail services’ logon pages. GTsSS actors have also registered domains to conduct credential harvesting\r\noperations. These domains mimic popular international social media platforms and masquerade as tourism- and\r\nsports-related entities and music and video streaming services.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-110a\r\nPage 4 of 18\n\nHigh-Profile Activity: the U.S. Government assesses that GTsSS cyber actors have deployed Drovorub malware\r\nagainst victim devices as part of their cyber espionage operations.[16] The U.S. Government and UK Government\r\nassess that GTsSS actors used a Kubernetes® cluster to conduct widespread, distributed, and anonymized brute\r\nforce access attempts against hundreds of government and private sector targets worldwide.[17] \r\nAlso known as: APT28, FANCY BEAR, Group 74, IRON TWILIGHT, PawnStorm, Sednit,\r\nSNAKEMACKEREL, Sofacy, STRONTIUM, Swallowtail, TG-4127, Threat Group-4127, and Tsar Team [18 ]\r\nResources: for more information on GTsSS, see the MITRE ATT\u0026CK webpage on APT28 . \r\nGRU’s Main Center of Special Technologies\r\nOverview: GTsST, or Unit 74455, is an APT group that has operated since at least 2009 and has targeted a variety\r\nof critical infrastructure organizations, including those in the Energy, Transportation Systems, and Financial\r\nServices Sectors. According to industry reporting, GTsST also has an extensive history of conducting cyber\r\nespionage as well as destructive and disruptive operations against NATO member states, Western government and\r\nmilitary organizations, and critical infrastructure-related organizations, including in the Energy Sector.\r\nThe primary distinguishing characteristic of the group is its operations use techniques aimed at causing disruptive\r\nor destructive effects at targeted organizations using DDoS attacks or wiper malware. The group’s destructive\r\noperations have also leveraged wiper malware that mimics ransomware or hacktivism and can result in collateral\r\neffects to organizations beyond the primary intended targets. Some of their disruptive operations have shown\r\ndisregard or ignorance of potential secondary or tertiary effects. \r\nHigh-Profile Activity: the malicious activity below has been previously attributed to GTsST by the U.S.\r\nGovernment and the UK Government.[19][20 ]\r\nGTsST actors conducted a cyberattack against Ukrainian energy distribution companies in December 2015,\r\nleading to disruption of multiple companies’ operations and widespread temporary outages. The actors\r\ndeployed BlackEnergy malware to steal user credentials and used BlackEnergy’s destructive component,\r\nKillDisk, to make infected computers inoperable.\r\nIn 2016, GTsST actors conducted a cyber-intrusion campaign against a Ukrainian electrical transmission\r\ncompany and deployed CrashOverride malware (also known as Industroyer) specifically designed to attack\r\npower grids.\r\nIn June 2017, GTsST actors deployed NotPetya disruptive malware against Ukrainian financial, energy,\r\nand government organizations. NotPetya masqueraded as ransomware, had a large collateral impact, and\r\ncaused damage to millions of devices globally.\r\nIn 2018, GTsST actors deployed data-deletion malware against the Winter Olympics and Paralympics and\r\nseparately targeted home and office routers worldwide using VPNFilter.\r\nThe U.S. Government, the Government of Canada, and UK Government have also attributed the October 2019\r\nlarge-scale, disruptive cyber operations against a range of Georgian web hosting providers to GTsST. This activity\r\nresulted in websites—including sites belonging to the Georgian government, courts, non-government\r\norganizations (NGOs), media, and businesses—being defaced and interrupted the service of several national\r\nbroadcasters.[21]22 ][23 ]\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-110a\r\nPage 5 of 18\n\nAlso known as: ELECTRUM, IRON VIKING, Quedagh, the Sandworm Team, Telebots, VOODOO BEAR [24\r\n]\r\nResources: for more information on GTsST, see the MITRE ATT\u0026CK webpage on Sandworm Team . \r\nRussian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics \r\nOverview: TsNIIKhM, as described on their webpage, is a research organization under Russia’s Ministry of\r\nDefense (MOD). Actors associated with TsNIIKhM have developed destructive ICS malware.\r\nHigh-Profile Activity: TsNIIKhM has been sanctioned by the U.S. Department of the Treasury for connections to\r\nthe destructive Triton malware (also called HatMan and TRISIS); TsNIIKhM has been sanctioned by the UK\r\nForeign, Commonwealth, and Development Office (FCDO) for a 2017 incident that involved safety override\r\ncontrols (with Triton malware) in a foreign oil refinery.[25][26 ] In 2021, the U.S. DOJ indicted a TsNIIKhM\r\nApplied Development Center (ADC) employee for conducting computer intrusions against U.S. Energy Sector\r\norganizations. The indicted employee also accessed the systems of a foreign oil refinery and deployed Triton\r\nmalware.[27] Triton is a custom-built malware designed to manipulate safety instrumented systems within ICS\r\ncontrollers, disabling the safety alarms that prevent dangerous conditions. \r\nAlso known as: Temp.Veles, XENOTIME [28 ]\r\nResources: for more information on TsNIIKhM, see the MITRE ATT\u0026CK webpage on TEMP.Veles . For more\r\ninformation on Triton, see:\r\nCISA Malware Analysis Report (MAR) Hatman – Safety System Targeted Malware (update B)\r\nCISA ICS Advisory: Schneider Electric Triconex Tricon (Update B)\r\nJoint CSA Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors\r\nTargeting the Energy Sector\r\nNCSC-UK Advisory TRITON Malware Targeting Safety Controllers\r\nRussian-Aligned Cyber Threat Groups\r\nIn addition to the APT groups identified in the Russian State-Sponsored Cyber Operations section, industry\r\nreporting identifies two intrusion sets—PRIMITIVE BEAR and VENOMOUS BEAR—as state-sponsored APT\r\ngroups, but U.S., Australian, Canadian, New Zealand, and UK cyber authorities have not attributed these groups to\r\nthe Russian government.\r\nPRIMITIVE BEAR has, according to industry reporting, targeted Ukrainian organizations since at least\r\n2013. This activity includes targeting Ukrainian government, military, and law enforcement entities using\r\nhigh-volume spearphishing campaigns to deliver its custom malware. According to industry reporting,\r\nPRIMITIVE BEAR conducted multiple cyber operations targeting Ukrainian organizations in the lead up\r\nto Russia’s invasion.\r\nResources: for more information on PRIMITIVE BEAR, see the MITRE ATT\u0026CK webpage on the Gamaredon\r\nGroup .\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-110a\r\nPage 6 of 18\n\nVENOMOUS BEAR has, according to industry reporting, historically targeted governments aligned with\r\nthe North Atlantic Treaty Organization (NATO), defense contractors, and other organizations of\r\nintelligence value. Venomous Bear is known for its unique use of hijacked satellite internet connections for\r\ncommand and control (C2). It is also known for the hijacking of other non-Russian state-sponsored APT\r\nactor infrastructure.[29] VENOMOUS BEAR has also historically leveraged compromised infrastructure\r\nand maintained an arsenal of custom-developed sophisticated malware families, which is extremely\r\ncomplex and interoperable with variants developed over time. VENOMOUS BEAR has developed tools\r\nfor multiple platforms, including Windows, Mac, and Linux.[30] \r\nResources: for more information on VENOMOUS BEAR, see the MITRE ATT\u0026CK webpage on Turla .\r\nRussian-Aligned Cybercrime Groups\r\nCybercrime groups are typically financially motivated cyber actors that seek to exploit human or security\r\nvulnerabilities to enable direct theft of money (e.g., by obtaining bank login information) or by extorting money\r\nfrom victims. These groups pose consistent threats to critical infrastructure organizations globally. \r\nSince Russia’s invasion of Ukraine in February 2022, some cybercrime groups have independently publicly\r\npledged support for the Russian government or the Russian people and/or threatened to conduct cyber operations\r\nto retaliate against perceived attacks against Russia or materiel support for Ukraine. These Russian-aligned\r\ncybercrime groups likely pose a threat to critical infrastructure organizations primarily through:\r\nDeploying ransomware through which cyber actors remove victim access to data (usually via encryption),\r\npotentially causing significant disruption to operations.\r\nConducting DDoS attacks against websites.\r\nIn a DDoS attack, the cyber actor generates enough requests to flood and overload the target page\r\nand stop it from responding.\r\nDDoS attacks are often accompanied by extortion.\r\nAccording to industry reporting, some cybercrime groups have recently carried out DDoS attacks\r\nagainst Ukrainian defense organizations, and one group claimed credit for DDoS attack against a\r\nU.S. airport the actors perceived as supporting Ukraine (see the Killnet section).\r\nBased on industry and open-source reporting, U.S., Australian, Canadian, New Zealand, and UK cyber authorities\r\nassess multiple Russian-aligned cybercrime groups pose a threat to critical infrastructure organizations. These\r\ngroups include:\r\nThe CoomingProject\r\nKillnet\r\nMUMMY SPIDER\r\nSALTY SPIDER\r\nSCULLY SPIDER\r\nSMOKEY SPIDER\r\nWIZARD SPIDER\r\nThe Xaknet Team\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-110a\r\nPage 7 of 18\n\nNote: although some cybercrime groups may conduct cyber operations in support of the Russian government,\r\nU.S., Australian, Canadian, New Zealand, and UK cyber authorities assess that cyber criminals will most likely\r\ncontinue to operate primarily based on financial motivations, which may include targeting government and critical\r\ninfrastructure organizations.\r\nThe CoomingProject\r\nOverview: the CoomingProject is a criminal group that extorts money from victims by exposing or threatening to\r\nexpose leaked data. Their data leak site was launched in August 2021.[31 ] The CoomingProject stated they\r\nwould support the Russian Government in response to perceived cyberattacks against Russia.[32 ]\r\nKillnet\r\nOverview: according to open-source reporting, Killnet released a video pledging support to Russia.[33 ] \r\nVictims: Killnet claimed credit for carrying out a DDoS attack against a U.S. airport in March 2022 in response\r\nto U.S. materiel support for Ukraine.[34 ]\r\nMUMMY SPIDER\r\nOverview: MUMMY SPIDER is a cybercrime group that creates, distributes, and operates the Emotet botnet.\r\nEmotet is advanced, modular malware that originated as a banking trojan (malware designed to steal information\r\nfrom banking systems but that may also be used to drop additional malware and ransomware). Today Emotet\r\nprimarily functions as a downloader and distribution service for other cybercrime groups. Emotet has been used to\r\ndeploy WIZARD SPIDER’s TrickBot, which is often a precursor to ransomware delivery. Emotet has worm-like\r\nfeatures that enable rapid spreading in an infected network. \r\nVictims: according to open sources, Emotet has been used to target industries worldwide, including financial, e-commerce, healthcare, academia, government, and technology organizations’ networks.\r\nAlso known as: Gold Crestwood, TA542, TEMP.Mixmaster, UNC3443\r\nResources: for more information on Emotet, see joint Alert Emotet Malware. For more information on TrickBot,\r\nsee joint CSA TrickBot Malware. \r\nSALTY SPIDER\r\nOverview: SALTY SPIDER is a cybercrime group that develops and operates the Sality botnet. Sality is a\r\npolymorphic file infector that was discovered in 2003; since then, it has been replaced by more advanced peer-to-peer (P2P) malware loaders.[35 ]\r\nVictims: according to industry reporting, in February 2022, SALTY SPIDER conducted DDoS attacks against\r\nUkrainian web forums used to discuss events relating to Russia’s military offensive against the city of Kharkiv.\r\nAlso known as: Sality\r\nSCULLY SPIDER\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-110a\r\nPage 8 of 18\n\nOverview: SCULLY SPIDER is a cybercrime group that operates using a malware-as-a-service model; SCULLY\r\nSPIDER maintains command and control infrastructure and sells access to their malware and infrastructure to\r\naffiliates, who distribute their own malware.[36 ][37 ] SCULLY SPIDER develops and operates the DanaBot\r\nbotnet, which originated primarily as a banking Trojan but expanded beyond banking in 2021 and has since been\r\nused to facilitate access for other types of malware, including TrickBot, DoppelDridex, and Zloader. Like Emotet,\r\nDanabot effectively functions as an initial access vector for other malware, which can result in ransomware\r\ndeployment.\r\nAccording to industry reporting, recent DDoS activity by the DanaBot botnet suggests SCULLY SPIDER has\r\noperated in support of Russia’s military offensive in Ukraine. \r\nVictims: SCULLY SPIDER affiliates have primarily targeted organizations in the United States, Canada,\r\nGermany, United Kingdom, Australia, Italy, Poland, Mexico, and Ukraine.[38 ] According to industry reporting,\r\nin March 2022, Danabot was used in DDoS attacks against multiple Ukrainian government organizations. \r\nAlso known as: Gold Opera\r\nSMOKEY SPIDER\r\nOverview: SMOKEY SPIDER is a cybercrime group that develops Smoke Loader (also known as Smoke Bot), a\r\nmalicious bot that is used to upload other malware. Smoke Loader has been available since at least 2011, and\r\noperates as a malware distribution service for a number of different payloads, including—but not limited to—\r\nDanaBot, TrickBot, and Qakbot.\r\nVictims: according to industry reporting, Smoke Loader was observed in March 2022 distributing DanaBot\r\npayloads that were subsequently used in DDoS attacks against Ukrainian targets.\r\nResources: for more information on Smoke Loader, see the MITRE ATT\u0026CK webpage on Smoke Loader .\r\nWIZARD SPIDER\r\nOverview: WIZARD SPIDER is a cybercrime group that develops TrickBot malware and Conti ransomware.\r\nHistorically, the group has paid a wage to the ransomware deployers (referred to as affiliates), some of whom may\r\nthen receive a share of the proceeds from a successful ransomware attack. In addition to TrickBot, notable initial\r\naccess and persistence vectors for affiliated actors include Emotet, Cobalt Strike, spearphishing, and stolen or\r\nweak Remote Desktop Protocol (RDP) credentials.\r\nAfter obtaining access, WIZARD SPIDER affiliated actors have relied on various publicly available and otherwise\r\nlegitimate tools to facilitate earlier stages of the attack lifecycle before deploying Conti ransomware.\r\nWIZARD SPIDER pledged support to the Russian government and threatened critical infrastructure organizations\r\nof countries perceived to carry out cyberattacks or war against the Russian government.[39 ] They later revised\r\nthis pledge and threatened to retaliate against perceived attacks against the Russian people.[40 ]\r\nVictims: Conti victim organizations span across multiple industries, including construction and engineering, legal\r\nand professional services, manufacturing, and retail. In addition, WIZARD SPIDER affiliates have deployed Conti\r\nransomware against U.S. healthcare and first responder networks.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-110a\r\nPage 9 of 18\n\nAlso known as: UNC2727, Gold Ulrick\r\nResources: for more information on Conti, see joint CSA Conti Ransomware. For more information on TrickBot,\r\nsee joint CSA TrickBot Malware. \r\nThe XakNet Team\r\nOverview: XakNet is a Russian-language cyber group that has been active as early as March 2022. According to\r\nopen-source reporting, the XakNet Team threatened to target Ukrainian organizations in response to perceived\r\nDDoS or other attacks against Russia.[41 ] According to reporting from industry, on March 31, 2022, XakNet\r\nreleased a statement stating they would work “exclusively for the good of [Russia].” According to industry\r\nreporting, the XakNet Team may be working with or associated with Killnet actors, who claimed credit for the\r\nDDoS attacks against a U.S. airport (see the Killnet section).\r\nVictims: according to industry reporting, in late March 2022, the XakNet Team leaked email contents of a\r\nUkrainian government official. The leak was accompanied by a political statement criticizing the Ukrainian\r\ngovernment, suggesting the leak was politically motivated. \r\nMitigations\r\nU.S., Australian, Canadian, New Zealand, and UK cyber authorities urge critical infrastructure organizations to\r\nprepare for and mitigate potential cyber threats by immediately (1) updating software, (2) enforcing MFA, (3)\r\nsecuring and monitoring RDP and other potentially risky services, and (4) providing end-user awareness and\r\ntraining.\r\nUpdate software, including operating systems, applications, and firmware, on IT network assets.\r\nPrioritize patching known exploited vulnerabilities and critical and high vulnerabilities that allow for\r\nremote code execution or denial-of-service on internet-facing equipment.\r\nConsider using a centralized patch management system. For OT networks, use a risk-based\r\nassessment strategy to determine the OT network assets and zones that should participate in the\r\npatch management program.  \r\nConsider signing up for CISA’s cyber hygiene services, including vulnerability scanning, to help\r\nreduce exposure to threats. CISA’s vulnerability scanning service evaluates external network\r\npresence by executing continuous scans of public, static IP addresses for accessible services and\r\nvulnerabilities.\r\nEnforce MFA to the greatest extent possible and require accounts with password logins, including\r\nservice accounts, to have strong passwords. Do not allow passwords to be used across multiple accounts\r\nor stored on a system to which an adversary may have access. As Russian state-sponsored APT actors have\r\ndemonstrated the ability to exploit default MFA protocols and known vulnerabilities, organizations should\r\nreview configuration policies to protect against “fail open” and re-enrollment scenarios. For more\r\ninformation, see joint CSA Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting\r\nDefault Multifactor Authentication Protocols and “PrintNightmare” Vulnerability.\r\nIf you use RDP and/or other potentially risky services, secure and monitor them closely. RDP\r\nexploitation is one of the top initial infection vectors for ransomware, and risky services, including RDP,\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-110a\r\nPage 10 of 18\n\ncan allow unauthorized access to your session using an on-path attacker.\r\nLimit access to resources over internal networks, especially by restricting RDP and using virtual\r\ndesktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the\r\noriginating sources and require MFA to mitigate credential theft and reuse. If RDP must be available\r\nexternally, use a virtual private network (VPN) or other means to authenticate and secure the\r\nconnection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs,\r\nenforce account lockouts after a specified number of attempts to block brute force attempts, log\r\nRDP login attempts, and disable unused remote access/RDP ports.\r\nEnsure devices are properly configured and that security features are enabled. Disable ports and\r\nprotocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol\r\nPort 3389).\r\nProvide end-user awareness and training to help prevent successful targeted social engineering and\r\nspearphishing campaigns. Phishing is one of the top infection vectors for ransomware, and Russian state-sponsored APT actors have conducted successful spearphishing campaigns to gain credentials of target\r\nnetworks.\r\nEnsure that employees are aware of potential cyber threats and delivery methods.\r\nEnsure that employees are aware of what to do and whom to contact when they receive a suspected\r\nphishing email or suspect a cyber incident.\r\nAs part of a longer-term effort, implement network segmentation to separate network segments based on role\r\nand functionality. Network segmentation can help prevent the spread of ransomware and threat actor lateral\r\nmovement by controlling traffic flows between—and access to—various subnetworks.\r\nEnsure OT assets are not externally accessible. Ensure strong identity and access management when OT\r\nassets needs to be externally accessible.\r\nAppropriately implement network segmentation between IT and OT networks. Network segmentation\r\nlimits the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a\r\ndemilitarized zone that eliminates unregulated communication between the IT and OT networks.\r\nOrganize OT assets into logical zones by considering criticality, consequence, and operational necessity.\r\nDefine acceptable communication conduits between the zones and deploy security controls to filter\r\nnetwork traffic and monitor communications between zones. Prohibit ICS protocols from traversing the IT\r\nnetwork.\r\nTo further prepare for and mitigate cyber threats from Russian state-sponsored or criminal actors, U.S., Australian,\r\nCanadian, New Zealand, and UK cyber authorities encourage critical infrastructure organizations to implement the\r\nrecommendations listed below.\r\nPreparing for Cyber Incidents\r\nCreate, maintain, and exercise a cyber incident response and continuity of operations plan.\r\nEnsure the cyber incident response plan contains ransomware- and DDoS-specific annexes. For\r\ninformation on preparing for DDoS attacks, see NCSC-UK guidance on preparing for denial-of-service attacks .\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-110a\r\nPage 11 of 18\n\nKeep hard copies of the incident response plan to ensure responders and network defenders can\r\naccess the plan if the network has been shut down by ransomware, etc.\r\nMaintain offline (i.e., physically disconnected) backups of data. Backup procedures should be conducted\r\non a frequent, regular basis (at a minimum every 90 days). Regularly test backup procedures and ensure\r\nthat backups are isolated from network connections that could enable the spread of malware.\r\nEnsure the backup keys are kept offline as well, to prevent them being encrypted in a ransomware\r\nincident.\r\nEnsure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire\r\norganization’s data infrastructure with a particular focus on key data assets.\r\nDevelop recovery documentation that includes configuration settings for common devices and critical\r\nequipment. Such documentation can enable more efficient recovery following an incident.\r\nIdentify the attack surface by mapping and accounting all external-facing assets (applications, servers, IP\r\naddresses) that are vulnerable to DDoS attacks or other cyber operations.\r\nFor OT assets/networks:\r\nIdentify a resilience plan that addresses how to operate if you lose access to—or control of—the IT\r\nand/or OT environment.\r\nIdentify OT and IT network interdependencies and develop workarounds or manual controls to\r\nensure ICS networks can be isolated from IT networks if the connections create risk to the safe and\r\nreliable operation of OT processes. Regularly test contingency plans, such as manual controls, so\r\nthat safety-critical functions can be maintained during a cyber incident. Ensure that the OT network\r\ncan operate at necessary capacity even if the IT network is compromised.\r\nRegularly test manual controls so that critical functions can be kept running if ICS or OT networks\r\nneed to be taken offline.\r\nImplement data backup procedures.\r\nDevelop recovery documents that include configuration settings for common devices and critical\r\nOT equipment. \r\nIdentity and Access Management\r\nRequire accounts with password logins, including service accounts, to have strong passwords and do not\r\nallow passwords to be used across multiple accounts or stored on a system to which an adversary may have\r\naccess. Consider using a password manager; see NCSC-UK’s Password Manager Buyers Guide for\r\nguidance.\r\nImplement authentication timeout and lockout features to prevent repeated failed login attempts and\r\nsuccessful brute-force attempts.\r\nCreate a deny list of known compromised credentials and prevent users from using known-compromised\r\npasswords.\r\nSecure credentials by restricting where accounts and credentials can be used and by using local device\r\ncredential protection features. Russian state-sponsored APT actors have demonstrated their ability to\r\nmaintain persistence using compromised credentials.\r\nUse virtualizing solutions on modern hardware and software to ensure credentials are securely\r\nstored.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-110a\r\nPage 12 of 18\n\nEnsure storage of clear text passwords in Local Security Authority Subsystem Service (LSASS)\r\nmemory is disabled. Note: for Windows 8, this is enabled by default. For more information see\r\nMicrosoft Security Advisory Update to Improve Credentials Protection and Management .\r\nConsider disabling or limiting NTLM and WDigest Authentication.\r\nImplement Credential Guard for Windows 10 and Server 2016 (refer to Microsoft: Manage\r\nWindows Defender Credential Guard for more information). For Windows Server 2012R2, enable\r\nProtected Process Light for Local Security Authority (LSA).\r\nMinimize the Active Directory (AD) attack surface to reduce malicious ticket-granting activity.\r\nMalicious activity such as “Kerberoasting” takes advantage of Kerberos’ Ticket Granting Service\r\n(TGS) and can be used to obtain hashed credentials that malicious cyber actors attempt to crack.\r\nAudit domain controllers to log successful Kerberos TGS requests and ensure the events are monitored for\r\nanomalous activity.  \r\nSecure accounts.\r\nEnforce the principle of least privilege. Administrator accounts should have the minimum\r\npermission necessary to complete their tasks.\r\nEnsure there are unique and distinct administrative accounts for each set of administrative tasks.\r\nCreate non-privileged accounts for privileged users and ensure they use the non-privileged accounts\r\nfor all non-privileged access (e.g., web browsing, email access).\r\nDisable inactive accounts uniformly across the AD, MFA systems, etc.\r\nImplement time-based access for privileged accounts. The FBI and CISA observed cybercriminals\r\nconducting increasingly impactful attacks against U.S. entities on holidays and weekends in 2021. Threat\r\nactors may view holidays and weekends—when offices are normally closed—as attractive timeframes, as\r\nthere are fewer network defenders and IT support personnel at victim organizations. The just-in-time access\r\nmethod provisions privileged access when needed and can support enforcement of the principle of least\r\nprivilege (as well as the zero-trust model) by setting network-wide policy to automatically disable admin\r\naccounts at the AD level. As needed, individual users can submit requests through an automated process\r\nthat enables access to a system for a set timeframe. \r\nProtective Controls and Architecture\r\nIdentify, detect, and investigate abnormal activity that may indicate lateral movement by a threat actor,\r\nransomware, or other malware. Use network monitoring tools and host-based logs and monitoring tools,\r\nsuch as an endpoint detection and response (EDR) tool. EDR tools are particularly useful for detecting\r\nlateral connections as they have insight into common and uncommon network connections for each host.\r\nImplement a firewall and configure it to block Domain Name System (DNS) responses from outside the\r\nenterprise network or drop Internet Control Message Protocol (ICMP) packets. Review which admin\r\nservices need to be accessible externally and allow those explicitly, blocking all others by default.\r\nU.S. Defense Industrial Base organizations may sign up for the NSA Cybersecurity Collaboration\r\nCenter’s Protective Domain Name System (PDNS) services.\r\nEnable web application firewalls to mitigate application-level DDoS attacks.\r\nImplement a multi-content delivery network (CDN) solution. This will minimize the threat of DDoS\r\nattacks by distributing and balancing web traffic across a network.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-110a\r\nPage 13 of 18\n\nVulnerability and Configuration Management\r\nUse an antivirus programs that uses heuristics and reputational ratings to check a file’s prevalence and\r\ndigital signature prior to execution. Note: organizations should assess the risks inherent in their software\r\nsupply chain (including its security/antivirus software supply chain) in light of the existing threat\r\nlandscape.\r\nSet antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date\r\nsignatures.\r\nUse a risk-based asset inventory strategy to determine how OT network assets are identified and\r\nevaluated for the presence of malware.\r\nImplement rigorous configuration management programs. Ensure the programs can track and mitigate\r\nemerging threats. Review system configurations for misconfigurations and security weaknesses.\r\nDisable all unnecessary ports and protocols.\r\nReview network security device logs and determine whether to shut off unnecessary ports and\r\nprotocols. Monitor common ports and protocols for command and control activity.\r\nTurn off or disable any unnecessary services (e.g., PowerShell) or functionality within devices.\r\nIdentify business-to-business VPNs and block high-risk protocols.\r\nEnsure OT hardware is in read-only mode.\r\nEnable strong spam filters.\r\nEnable strong spam filters to prevent phishing emails from reaching end users.\r\nFilter emails containing executable files to prevent them from reaching end users.\r\nImplement a user training program to discourage users from visiting malicious websites or opening\r\nmalicious attachments.\r\nRestrict Server Message Block (SMB) Protocol within the network to only access servers that are\r\nnecessary and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB\r\nto propagate malware across organizations.\r\nReview the security posture of third-party vendors and those interconnected with your organization. Ensure\r\nall connections between third-party vendors and outside software or hardware are monitored and reviewed\r\nfor suspicious activity.\r\nImplement listing policies for applications and remote access that only allow systems to execute known\r\nand permitted programs under an established security policy.\r\nOpen document readers in protected viewing modes to help prevent active content from running.\r\nResponding to Cyber Incidents\r\nU.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities urge network defenders of critical\r\ninfrastructure organizations to exercise due diligence in identifying indicators of malicious activity. Organizations\r\ndetecting potential APT or ransomware activity in their IT or OT networks should:\r\n1. Immediately isolate affected systems.\r\n2. For DDoS attacks:\r\na. Identify the source address originating the attack via the SIEM or logging service. If the attack is\r\noriginating from a single pool of IP addresses, block IP traffic from suspected IPs via access control\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-110a\r\nPage 14 of 18\n\nlists or by contacting your internet service provider (ISP).\r\nb. Enable firewall rate limiting to restrict the amount of IP traffic coming in from suspected IP\r\naddresses\r\nc. Notify your ISP and enable remote triggered blackhole (RTBH).\r\n3. Secure backups. Ensure your backup data is offline and secure. If possible, scan your backup data with an\r\nantivirus program to ensure it is free of malware.\r\n4. Collect and review relevant logs, data, and artifacts.\r\n5. Consider soliciting support from a third-party IT organization to provide subject matter expertise, ensure\r\nthe actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.\r\n6. Report incidents to appropriate cyber and law enforcement authorities:\r\nU.S organizations: share information about incidents and anomalous activity to CISA’s 24/7 Operations\r\nCenter at report@cisa.gov or (888) 282-0870 and/or the FBI via your local FBI field office or the FBI’s\r\n24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov . For ransomware incidents, organizations can\r\nalso report to the U.S. Secret Service via a U.S. Secret Service Field Office.\r\nAustralian organizations: if you have questions about this advice or have indications that your\r\nenvironment has been compromised, call the ACSC at 1300 CYBER1 (1300 292 371). To report an\r\nincident see cyber.gov.au/acsc/report .\r\nCanadian organizations: report incidents by emailing CCCS at contact@cyber.gc.ca .\r\nNew Zealand organizations: if your organization requires assistance from the National Cyber Security\r\nCentre, contact them directly via telephone at (04) 498-7654 or via email at ncscincidents@ncsc.govt.nz .\r\nUK organizations: report a significant cybersecurity incident at ncsc.gov.uk/report-an-incident\r\n(monitored 24 hours) or, for urgent assistance, call 03000 200 973.\r\nFor additional guidance on responding to a ransomware incident, see the CISA-Multi-State Information Sharing\r\nand Analysis Center (MS-ISAC) Joint Ransomware Guide.\r\nSee the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on\r\nTechnical Approaches to Uncovering and Remediating Malicious Activity for guidance on hunting or\r\ninvestigating a network, and for common mistakes in incident handling.\r\nAdditionally, CISA, the FBI, and NSA encourage U.S. critical infrastructure owners and operators to see CISA’s\r\nFederal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal\r\ncivilian branch agencies, these playbooks provide operational procedures for planning and conducting\r\ncybersecurity incident and vulnerability response activities and detail each step for both incident and vulnerability\r\nresponse.  \r\nNote: U.S., Australian, Canadian, New Zealand, and UK cyber authorities strongly discourage paying a ransom to\r\ncriminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other\r\ncriminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom does\r\nnot guarantee that a victim’s files will be recovered.\r\nRESOURCES\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-110a\r\nPage 15 of 18\n\nFor more general information on Russian state-sponsored malicious cyber activity, see CISA’s Russia\r\nCyber Threat Overview and Advisories webpage and joint CSA Understanding and Mitigating Russian\r\nState-Sponsored Cyber Threats to U.S. Critical Infrastructure.\r\nFor alerts on malicious and criminal cyber activity, see the FBI Internet Crime Complaint Center webpage.\r\nFor more information and resources on protecting against and responding to ransomware, refer to\r\nStopRansomware.gov, a centralized, U.S. government webpage providing ransomware resources and\r\nalerts.\r\nFor more information on mitigating DDoS attacks, see NCSC-UK Denial of Service (DoS) Guidance .\r\nFor more information on managing cybersecurity incidents, see NZ NCSC Incident Management: Be\r\nResilient, Be Prepared .\r\nFor information on destructive malware, see joint CSA Destructive Malware Targeting Organizations in\r\nUkraine.\r\nCritical infrastructure owners and operators with OT/ICS networks, should review the following resources\r\nfor additional information:\r\nJoint CSA NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational\r\nTechnologies and Control Systems\r\nCISA factsheet Rising Ransomware Threat to Operational Technology Assets \r\nDISCLAIMER\r\nThe information you have accessed or received is being provided “as is” for informational purposes only. CISA,\r\nNSA, FBI, ACSC, CCCS, NZ NCSC, NCSC-UK, and the UK National Crime Agency (NCA) do not endorse any\r\ncommercial product or service, including any subjects of analysis. Any reference to specific commercial products,\r\nprocesses, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply\r\nendorsement, recommendation, or favoring.\r\nTRADEMARK RECOGNITION\r\nMITRE and ATT\u0026CK are registered trademarks of The MITRE Corporation. Kubernetes is a registered trademark\r\nof The Linux Foundation.\r\nPURPOSE \r\nThis document was developed by U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities in\r\nfurtherance of their respective cybersecurity missions, including their responsibilities to develop and issue\r\ncybersecurity specifications and mitigations.\r\nREFERENCES\r\n[1] Cybersecurity and Infrastructure Security Agency\r\n[2] Federal Bureau of Investigation\r\n[3] National Security Agency\r\n[4] Australian Cyber Security Centre\r\n[5] Canadian Centre for Cyber Security\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-110a\r\nPage 16 of 18\n\n[6] New Zealand's National Cyber Security Centre\r\n[7] United Kingdom's National Cyber Security Centre\r\n[8] United Kingdom's National Crime Agency\r\n[9] U.S. DOJ Press Release: U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking\r\nYahoo and Millions of Email Accounts\r\n[10] U.S. DOJ Press Release: Four Russian Government Employees Charged in Two Historical Hacking\r\nCampaigns Targeting Critical Infrastructure Worldwide\r\n[11] CrowdStrike Blog: Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign\r\n[12] U.S. White House Statement: FACT SHEET: Imposing Costs for Harmful Foreign Activities by the Russian\r\n[13] Government of Canada Statement on SolarWinds Cyber Compromise\r\n[14] UK Government Press Release: Russia: UK and US expose global campaign of malign activity by Russian\r\nintelligence services\r\n[15] MITRE ATT\u0026CK: APT29\r\n[16] Joint CSA Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware\r\n[17] Joint CSA Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud\r\nEnvironments\r\n[18] MITRE ATT\u0026CK APT28\r\n[19] Joint CSA New Sandworm Malware Cyclops Blink Replaces VPNFilter\r\n[20] UK Government Press Release: UK condemns Russia's GRU over Georgia cyber-attacks\r\n[21] U.S. Department of State, Press Statement: The United States Condemns Russian Cyber Attack Against the\r\nCountry of Georgia\r\n[22] Government of Canada CSE Statement on Malicious Russian Cyber Activity Targeting Georgia\r\n[23] UK Government Press Release: UK condemns Russia's GRU over Georgia cyber-attacks\r\n[24] MITRE ATT\u0026CK The Sandworm Team\r\n[25] U.S. Department of the Treasury Press Release: Treasury Sanctions Russian Government Research Institution\r\nConnected to the Triton Malware\r\n[26] UK Government Press Release: UK exposes Russian spy agency behind cyber incident\r\n[27] U.S. DOJ Press Release: Four Russian Government Employees Charged in Two Historical Hacking\r\nCampaigns Targeting Critical Infrastructure Worldwide\r\n[28] MITRE ATT\u0026CK TEMP.Veles\r\n[29] NSA and NCSC-UK Cybersecurity Advisory Turla Group Exploits Iranian APT To Expand Coverage Of\r\nVictims\r\n[30] CrowdStrike Adversary Profile: VENEMOUS BEAR\r\n[31] KELA Cybersecurity Intelligence Center: Ain’t No Actor Trustworthy Enough: The importance of validating\r\nsources\r\n[32] Twitter: Valery Marchive Status, Feb. 25, 2022 1:41 PM\r\n[33] The Record by Recorded Future: Russia or Ukraine: Hacking Groups Take Sides\r\n[34] Twitter: CyberKnow Status, March 29, 2022, 7:54 AM\r\n[35] CrowdStrike Blog: Who is Salty Spider (Sality)?\r\n[36] Proofpoint Blog: New Year, New Version of DanaBot\r\n[37] Zscaler Blog: Spike in DanaBot Malware Activity\r\n[38] Proofpoint Blog: New Year, New Version of DanaBot\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-110a\r\nPage 17 of 18\n\n[39] The Record by Recorded Future: Russia or Ukraine: Hacking Groups Take Sides\r\n[40] TechTarget: Conti ransomware gang backs Russia, threatens US\r\n[41] The Record by Recorded Future: Russia or Ukraine: Hacking Groups Take Sides\r\nACKNOWLEDGEMENTS\r\nThe U.S., Australian, Canadian, New Zealand, and UK cyber authorities would like to thank CrowdStrike,\r\nGoogle, LookingGlass Cyber, Mandiant, Microsoft, and Secureworks for their contributions to this CSA.\r\nContact Information\r\nU.S. organizations: to report suspicious or criminal activity related to information found in this Joint\r\nCybersecurity Advisory, contact CISA’s 24/7 Operations Center at SayCISA@cisa.dhs.gov or by calling 1-844-\r\nSay-CISA (1-844-729-2472) and/or to the FBI via your local FBI field office at www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at CyWatch@fbi.gov . When\r\navailable, please include the following information regarding the incident: date, time, and location of the incident;\r\ntype of activity; number of people affected; type of equipment used for the activity; the name of the submitting\r\ncompany or organization; and a designated point of contact. For NSA client requirements or general cybersecurity\r\ninquiries, contact the Cybersecurity Requirements Center at 410-854-4200 or Cybersecurity_Requests@nsa.gov\r\n. Australian organizations: visit cyber.gov.au/acsc/report or call 1300 292 371 (1300 CYBER 1) to report\r\ncybersecurity incidents and access alerts and advisories. Canadian organizations: report incidents by emailing\r\nCCCS at contact@cyber.gc.ca . New Zealand organizations: report cyber security incidents to\r\nncscincidents@ncsc.govt.nz or call 04 498 7654. United Kingdom organizations: report a significant cyber\r\nsecurity incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200\r\n973.\r\nRevisions\r\nApril 20, 2022: Initial version|May 9, 2022: Added detail on GTsST use of VPNFilter.\r\nSource: https://www.cisa.gov/uscert/ncas/alerts/aa22-110a\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-110a\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a" ], "report_names": [ "aa22-110a" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "5fb9f77b-1273-4658-884e-49f5f511dcd7", "created_at": "2022-10-25T15:50:23.591795Z", "updated_at": "2026-04-10T02:00:05.383475Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "TEMP.Veles", "XENOTIME" ], "source_name": "MITRE:TEMP.Veles", "tools": [ "Mimikatz", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "6d1762e8-c48c-4fda-b4d1-ecb91179720e", "created_at": "2022-10-25T16:07:24.55351Z", "updated_at": "2026-04-10T02:00:05.031489Z", "deleted_at": null, "main_name": "Salty Spider", "aliases": [], "source_name": "ETDA:Salty Spider", "tools": [ "Kookoo", "Kukacka", "Kuku", "SalLoad", "SaliCode", "Sality" ], "source_id": "ETDA", "reports": null }, { "id": "02e5c3b8-54b4-4170-b200-7f1fd361b5a9", "created_at": "2022-10-25T16:07:24.557505Z", "updated_at": "2026-04-10T02:00:05.032451Z", "deleted_at": null, "main_name": "Scully Spider", "aliases": [ "Scully Spider", "TA547" ], "source_name": "ETDA:Scully Spider", "tools": [ "DanaBot", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "Stealc" ], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "0bce7575-ba34-4742-afb7-a4d3ade12dbe", "created_at": "2023-11-14T02:00:07.091122Z", "updated_at": "2026-04-10T02:00:03.448867Z", "deleted_at": null, "main_name": "XakNet", "aliases": [ "UAC-0100", "UAC-0106" ], "source_name": "MISPGALAXY:XakNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9fe7fd84-e2b4-4db5-9c90-c4a5791d3f94", "created_at": "2023-01-06T13:46:38.904178Z", "updated_at": "2026-04-10T02:00:03.14055Z", "deleted_at": null, "main_name": "SALTY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SALTY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8492b1a0-126f-4113-b8f7-101d28559629", "created_at": "2023-01-06T13:46:38.864213Z", "updated_at": "2026-04-10T02:00:03.126178Z", "deleted_at": null, "main_name": "GRIM SPIDER", "aliases": [ "GOLD ULRICK" ], "source_name": "MISPGALAXY:GRIM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "90307967-d5eb-4b7b-b8de-6fa2089a176e", "created_at": "2022-10-25T15:50:23.501119Z", "updated_at": "2026-04-10T02:00:05.347826Z", "deleted_at": null, "main_name": "Dragonfly 2.0", "aliases": [ "Dragonfly 2.0", "IRON LIBERTY", "DYMALLOY", "Berserk Bear" ], "source_name": "MITRE:Dragonfly 2.0", "tools": [ "netsh", "Impacket", "MCMD", "CrackMapExec", "Trojan.Karagany", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "0f09b73e-caa9-40e6-bd0b-c13503e4e94c", "created_at": "2023-01-06T13:46:39.001286Z", "updated_at": "2026-04-10T02:00:03.1772Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "Xenotime", "G0088", "ATK91" ], "source_name": "MISPGALAXY:TEMP.Veles", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "b4a6d558-3cba-499c-b58a-f15d65b7a604", "created_at": "2023-01-06T13:46:39.346924Z", "updated_at": "2026-04-10T02:00:03.295317Z", "deleted_at": null, "main_name": "Killnet", "aliases": [], "source_name": "MISPGALAXY:Killnet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3070c7b-c1e8-462c-94f1-62a0d2bdbc67", "created_at": "2023-01-06T13:46:39.116254Z", "updated_at": "2026-04-10T02:00:03.218594Z", "deleted_at": null, "main_name": "SCULLY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SCULLY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20012494-3f05-48ce-8c0f-92455e46a4f9", "created_at": "2022-10-25T16:07:24.319939Z", "updated_at": "2026-04-10T02:00:04.934107Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "ATK 91", "G0088", "Xenotime" ], "source_name": "ETDA:TEMP.Veles", "tools": [ "Cryptcat", "HatMan", "Mimikatz", "NetExec", "PsExec", "SecHack", "TRISIS", "TRITON", "Trisis", "Triton", "Wii" ], "source_id": "ETDA", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e2a4bc0b-6745-4e55-9d7c-3d169d70b025", "created_at": "2022-10-25T16:07:23.386907Z", "updated_at": "2026-04-10T02:00:04.576815Z", "deleted_at": null, "main_name": "Berserk Bear", "aliases": [ "Berserk Bear", "Dragonfly 2.0", "Dymalloy", "G0074" ], "source_name": "ETDA:Berserk Bear", "tools": [ "Fuerboos", "Goodor", "Impacket", "Karagany", "Karagny", "LOLBAS", "LOLBins", "Living off the Land", "Phishery", "Trojan.Karagany", "Trojan.Phisherly", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434322, "ts_updated_at": 1775826783, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fa3146c7d4e1f91891295e6a15cd5a6c68d7192d.pdf", "text": "https://archive.orkl.eu/fa3146c7d4e1f91891295e6a15cd5a6c68d7192d.txt", "img": "https://archive.orkl.eu/fa3146c7d4e1f91891295e6a15cd5a6c68d7192d.jpg" } }