{ "id": "d031d4b4-3d8e-4fef-8cff-98202bf66a38", "created_at": "2026-04-06T00:21:23.148765Z", "updated_at": "2026-04-10T13:11:42.259172Z", "deleted_at": null, "sha1_hash": "faba1e61ad13f808ca52975d26a821803b1d28b8", "title": "Regional Conflict and Cyber Blowback » Adversary Manifesto", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 41080, "plain_text": "Regional Conflict and Cyber Blowback » Adversary Manifesto\r\nPublished: 2013-10-10 · Archived: 2026-04-05 16:53:52 UTC\r\nThe Wayback Machine -\r\nhttps://web.archive.org/web/20160315044507/http://www.crowdstrike.com:80/blog/regional-conflict-and-cyber-blowback/\r\nThe Internet has changed many aspects of modern life, from communication with friends to how we watch TV or\r\nlisten to music. It has also changed the way we engage in conflict with others; this can be seen on a micro level in\r\nthe emergence of cyber bullying or at the macro level in the declaration by the U.S. Department of Defense\r\ndeclaring “Cyber” a fifth domain of warfare.\r\nCyber conflict can be an equalizer for adversaries who have limited ability to achieve their goals through other\r\nconventional avenues. As an example, take the case of individuals supportive of the Syrian regime; these\r\nsupporters have little ability to engage in kinetic warfare against Western or anti-regime targets in the physical\r\nworld, but leveraging cyber attacks is well within their capability.\r\nOver the past three months, the adversary designated by CrowdStrike as DEADEYE JACKAL (commonly known\r\nas the Syrian Electronic Army) carried out a number of attacks against major media outlets. In mid-August,\r\nreports emerged that the adversary successfully redirected visitors to the major media websites such as the\r\nWashington Post to a DEADEYE JACKAL-controlled website; the actor also claimed to have similarly\r\ncompromised the websites of CNN and Time. Several weeks later, DEADEYE JACKAL successfully took down\r\nthe New York Times’ website through a DNS redirection.\r\nIt is interesting to note that these were not direct attacks against the targeted organizations’ networks; they were\r\ncarried out by compromising the networks of third-party service providers. These third parties were leveraged by\r\nthe targets to support social media marketing, content publishing, advertising, and domain registration/hosting.\r\nCompromising these vendors is a new tactic for DEADEYE JACKAL, who leveraged it as a force multiplier. This\r\ntactic negated the necessity of compromising three hard targets, allowing the adversary to increase impact\r\ndramatically by finding a common link and exploiting it. The attacks by DEADEYE JACKAL were clearly\r\nmotivated by press surrounding the conflict in Syria that was critical of the Syrian regime. This adversary is\r\nsupportive of the current Syrian regime, and it likely desired to control the messaging it felt was driving\r\ninternational anti-regime sentiment. In general, these attacks were disruptive and did not target sensitive data of\r\nthe media outlets or service providers. These attacks represent the emerging threat of regional conflicts spilling\r\nover into the cyber domain and damaging or embarrassing entities far outside of the conflict zone.\r\nDesire to control messaging about the Syrian regime motivated DEADEYE JACKAL’s targeting of the media;\r\nhowever, they could easily adjust targeting toward more impactful targets. As an example, DEADEYE JACKAL\r\nmay have similarly decided that Western financial institutions would be an effective target to dissuade kinetic\r\ninvolvement of external militaries. Financial entities in the U.S. have already been victimized by attackers calling\r\nthemselves the “Cyber fighters of Izz Ad-Din Al Qassam” who purportedly seek retribution for an offensive video\r\nposted to a popular video sharing site. DEADEYE JACKAL could also turn its sights on entities within the\r\nhttps://web.archive.org/web/20160315044507/https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/\r\nPage 1 of 2\n\ndefense industrial base, as the weapons produced by those companies might be used in a strike against Syrian\r\ngovernment forces. Organizations in the oil and gas sector could also be targeted if the adversary views\r\ninterference in the Syrian conflict as a pretext to secure access to oil resources in the region. Whatever the\r\nbusiness vertical one can come up with, there is a potential reason why an irrational actor motivated by self\r\ndefense might seek to leverage cyber attacks against it.\r\nThe spillover of regional conflict is also demonstrated by the activity of another adversary designated by\r\nCrowdStrike as CORSAIR JACKAL (also known as the Tunisian Cyber Army). During 2013, this adversary\r\ncarried out a smaller number of high-profile attacks aimed at organizations in the financial, oil and gas, and\r\nshipping sectors. Additionally, in March 2013 the adversary also made unconfirmed claims that it compromised a\r\nlarge user database from a financial institution. Although CORSAIR JACKAL’s operations were not as visible as\r\nthose of DEADEYE JACKAL, the adversary represents another instance of malicious cyber activity emanating\r\nfrom a tumultuous region directed at organizations that may not have a clear connection to the conflict in that\r\nregion. In the case of CORSAIR JACKAL, the only legitimacy needed to target Western businesses was anti-Western sentiment from perceived interference by Western governments in theatre.\r\nOrganizations across all sectors must consider the risk of conflict in the physical world spilling over into the cyber\r\ndomain and resulting in malicious actors targeting their systems, operations, or customers. The use of cyber\r\nattacks is not declining; it is rapidly proliferating. As tools become easier to acquire, use, and modify, new\r\nadversaries are stepping on to the cyber domain from all over the world every day.\r\nIt is for these reasons that CrowdStrike advocates an intelligence-driven approach to security; the CrowdStrike\r\nIntelligence team tracks adversaries emanating from geographic locations across the globe and various\r\nmotivations. This past quarter we identified multiple new adversaries with specific Tactics, Techniques, and\r\nPractices (TTPs) and associated actionable indicators for our intelligence subscription customers. These new\r\nadversaries include the two nationalistically motivated actors discussed above, DEADEYE JACKAL and\r\nCORSAIR JACKAL, and a number of others engaged in targeted intrusion operations such as STONE PANDA,\r\nNIGHTSHADE PANDA, GOBLIN PANDA, and MAGIC KITTEN.\r\nLearn More about CrowdStrike’s approach to intelligence-driven security.\r\nLISTEN NOW\r\nRegister for our 10/16 CrowdCast: “You Have an Adversary Problem. Who’s Targeting You and Why?”\r\nREGISTER NOW\r\nSource: https://web.archive.org/web/20160315044507/https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/\r\nhttps://web.archive.org/web/20160315044507/https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20160315044507/https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/" ], "report_names": [ "regional-conflict-and-cyber-blowback" ], "threat_actors": [ { "id": "e575ba5a-702c-4a64-9bda-c4b1061210e5", "created_at": "2022-10-25T16:07:23.245788Z", "updated_at": "2026-04-10T02:00:04.763889Z", "deleted_at": null, "main_name": "Magic Kitten", "aliases": [], "source_name": "ETDA:Magic Kitten", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2f498e6b-3f0e-4f26-8cc7-52121e675643", "created_at": "2023-01-06T13:46:38.447274Z", "updated_at": "2026-04-10T02:00:02.978901Z", "deleted_at": null, "main_name": "Deadeye Jackal", "aliases": [ "SyrianElectronicArmy" ], "source_name": "MISPGALAXY:Deadeye Jackal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efeeab6a-219e-4a45-9b2f-9f77c647ffd2", "created_at": "2023-01-06T13:46:38.370366Z", "updated_at": "2026-04-10T02:00:02.946455Z", "deleted_at": null, "main_name": "Magic Kitten", "aliases": [ "Group 42" ], "source_name": "MISPGALAXY:Magic Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "76fc6d92-0710-4640-bfa7-3000fe3940a5", "created_at": "2022-10-25T16:07:24.251595Z", "updated_at": "2026-04-10T02:00:04.911951Z", "deleted_at": null, "main_name": "Syrian Electronic Army (SEA)", "aliases": [ "ATK 196", "Deadeye Jackal", "Syria Malware Team", "Syrian Electronic Army", "TAG-CT2" ], "source_name": "ETDA:Syrian Electronic Army (SEA)", "tools": [ "AndoServer", "CypherRat", "SLRat", "SandroRAT", "SilverHawk", "SpyNote", "SpyNote RAT" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "bb08058c-a744-4129-aa80-10aa34ed8766", "created_at": "2022-10-25T16:07:24.474826Z", "updated_at": "2026-04-10T02:00:05.003307Z", "deleted_at": null, "main_name": "Cyber fighters of Izz Ad-Din Al Qassam", "aliases": [ "Cyber fighters of Izz Ad-Din Al Qassam", "Fraternal Jackal", "QCF", "Qassam Cyber Fighters" ], "source_name": "ETDA:Cyber fighters of Izz Ad-Din Al Qassam", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "699b7efc-322d-489d-818d-823fac028124", "created_at": "2023-01-06T13:46:39.404825Z", "updated_at": "2026-04-10T02:00:03.315524Z", "deleted_at": null, "main_name": "APT9", "aliases": [ "NIGHTSHADE PANDA", "Red Pegasus", "Group 27" ], "source_name": "MISPGALAXY:APT9", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e79324a2-bdae-4dc5-9421-578a59045288", "created_at": "2022-10-25T16:07:23.906087Z", "updated_at": "2026-04-10T02:00:04.784657Z", "deleted_at": null, "main_name": "Nightshade Panda", "aliases": [ "APT 9", "FlowerLady", "FlowerShow", "Group 27", "Nightshade Panda", "Operation Seven Pointed Dagger" ], "source_name": "ETDA:Nightshade Panda", "tools": [ "3102 RAT", "9002 RAT", "Agent.dhwf", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "EvilGrab", "EvilGrab RAT", "Gen:Trojan.Heur.PT", "HOMEUNIX", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "MoonWind", "MoonWind RAT", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Vidgrab", "Wmonder", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "26bccc8b-d044-42dc-92d3-3ec57adc82ca", "created_at": "2022-10-25T16:07:23.203516Z", "updated_at": "2026-04-10T02:00:04.486582Z", "deleted_at": null, "main_name": "Corsair Jackal", "aliases": [ "TunisianCyberArmy" ], "source_name": "ETDA:Corsair Jackal", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "bdb5decc-c287-4abd-9ed6-0aca4415a743", "created_at": "2023-01-06T13:46:38.44054Z", "updated_at": "2026-04-10T02:00:02.975703Z", "deleted_at": null, "main_name": "Corsair Jackal", "aliases": [ "TunisianCyberArmy" ], "source_name": "MISPGALAXY:Corsair Jackal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d63af7da-1b27-4f7e-a006-e7398c38f436", "created_at": "2023-01-06T13:46:38.702633Z", "updated_at": "2026-04-10T02:00:03.073096Z", "deleted_at": null, "main_name": "Cyber fighters of Izz Ad-Din Al Qassam", "aliases": [ "Fraternal Jackal" ], "source_name": "MISPGALAXY:Cyber fighters of Izz Ad-Din Al Qassam", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434883, "ts_updated_at": 1775826702, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/faba1e61ad13f808ca52975d26a821803b1d28b8.pdf", "text": "https://archive.orkl.eu/faba1e61ad13f808ca52975d26a821803b1d28b8.txt", "img": "https://archive.orkl.eu/faba1e61ad13f808ca52975d26a821803b1d28b8.jpg" } }