Threat actors

Threat actors are sets of related intrusion activity that are tracked by a common name in the security community. Analysts track clusters of activities using various analytic methodologies and terms such as threat groups, activity groups, threat actors, intrusion sets, and campaigns. Some groups have multiple names associated with similar activities due to various organizations tracking similar activities by different names. Organizations' group definitions may partially overlap with groups designated by other organizations and may disagree on specific activity.

For the purposes of the Group pages, the MITRE ATT&CK team uses the term Group to refer to any of the above designations for a cluster of adversary activity. The team makes a best effort to track overlaps between names based on publicly reported associations, which are designated as “Associated Groups” on each page (formerly labeled “Aliases”), because we believe these overlaps are useful for analyst awareness. We do not represent these names as exact overlaps and encourage analysts to do additional research.

Groups are mapped to publicly reported technique use and original references are included. The information provided does not represent all possible technique use by Groups, but rather a subset that is available solely through open source reporting. Groups are also mapped to reported Software used, and technique use for that Software is tracked separately on each Software page.

Groups: 14
Name Associated Groups Description
APT17 Deputy Dog, Axiom

APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.

Security researchers found code similarities between the backdoor implanted in CCleaner and earlier APT17 samples, therefore implying that APT17 is behind the CCBkdr backdoor part of CCleaner Supply Chain Compromise.

APT18 TG-0416, Dynamite Panda, Threat Group-0416

APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical.

APT20 APT8 , Violin Panda

APT20 associated with Operation Wocao is suspected to be a Chinese-based cyberespioange APT group that targets government entities, managed service providers and a wide variety of industries, including construction and engineering, non-profit organizations, defense, energy, health care and high-tech in 10 different countries, including East Asia, Thailand, and the USA.

The group is known to be Mimikatz for dumping certificates and keys from Windows certificate store to authenticate to internal services as well as SSH for Lateral Movement.

To evade defenses, the group is known to Install Root Certificate to the local Windows store.

APT39 Chafer

APT39 is an Iranian cyberespionage group that has been active since at least 2014. The group is known to target the telecommunication and travel industries to collect personal information that aligns with Iran's national goals.

The group is known to be using Secure Shell SSH to move laterally within the network.

APT40 TEMP.Jumper, APT40, TEMP.Periscope

APT40 is a cyber espionage group that has been active since at least 2013. The group generally targets defense and government organizations, but has also targeted a range of industries including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities in the United States, Western Europe, and along the South China Sea.

APT40 shares infrastructure with APT41 and is known to use Code Signing to signs its malware.

For lateral movement, the group takes the "living-off-the-land" approach, using legitimate software within the victim's environment, such as SSH and compromised Private Keys and credentials to authenticate to connected systems.

APT41

APT41 is a group that carries out Chinese state-sponsored espionage and financially motivated activity. APT41 has been active since as early as 2012. The group has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries.

The group is known to target technology and video game companies to compromise their Supply Chain and insert a backdoor to their products and is reported to be behind the infamous [ShadowPad] backdoor inserted first to NetSarang software. The group has been also observed inserting malicious code into legitimate video game files to distribute malware.

APT41 also regularly leverages stolen Code Signing certificates to sign their malware and tools when targeting their victims.

BlackTech

BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.

The group is known to be using stolen Code Signing Certificates to sign its tools and malware.

Elderwood Elderwood Gang, Beijing Group, Sneaky Panda

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers.

Rocke

Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.

Sandworm Team ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, VOODOO BEAR

Sandworm Team is a destructive Russian threat group that has been attributed to Russian GRU Unit 74455 by the U.S. Department of Justice and U.K. National Cyber Security Centre. Sandworm Team's most notable attacks include the 2015 and 2016 targeting of Ukrainian electrical companies and 2017's NotPetya attacks. Sandworm Team has been active since at least 2009.

UNC1945

UNC1945 is a threat group active since 2018 and is known to target telecommunication companies and a set of targets within the financial and professional consulting industries by leveraging access to third-party networks and Trusted Relationships.

The group uses SSH External Remote Services for Initial Access.

According to the reports, the group compromised SSH servers and advertised on underground forums remote access to the infected servers, providing evidence that threat actors are selling direct access to External Remote Services to compromised servers as-a-service.

UNC1945 obtained and maintained Persistence to the victim’s external infrastructure using SSH Port Forwarding even when the host was no longer exposed to the internet directly.

UNC1945 obtained credentials and Private Keys to enable Lateral Movement in networks and obtain access to other segments of the network and third-party environments. The stolen credentials and keys were used to traverse the compromised network via SSH and deploy further malware.

The group was also reported to use Code Signing certificates to sign their tools.

UNC2452 Solorigate, StellarParticle, Dark Halo

UNC2452 is a suspected Russian state-sponsored APT group behind the 2020 SolarWinds software supply chain attack.

The group compromised a build system and signing infrastructure of a network monitoring and management software by SolarWinds named Orion and deliver a trojanized update to over 18,000 customers. The victims included around 80% of the Fortune 500, giant corporations like Microsoft, Cisco, Intel, Nvidia, Belkin, FireEye, Deloitte—as well as numerous US government departments and agencies and other organizations in North America, Europe, Asia, and the Middle East. The group also compromised at least one think tank by late 2019.

Artifacts from the investigation confirmed that the source code of the Orion update was directly modified to include the SUNBURST backdoor, which was digitally signed and delivered through the company’s legitimate software release system.

The SUNBURST backdoor was injected to the update by another tool SUNSPOT that replaced one of the source code files in runtime of the build process with another version containing the backdoor.

The Initial Access was not reported and could be a result of a public-facing FTP server and leaked credentials. Other reports refer to the exploitation of the CI/CD tool TeamCity by JetBrains, used for by developers all over the world.

The group also managed to access other victims through vendor access and other means and compromised a certificate by Mimecast to intercept traffic and access sensitive information.

Windigo

The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, Windigo operators continued updating Ebury through 2019.

Winnti Group Blackfly

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.

Winnti Group groups the activity of a number of linked groups rather than a single discrete entity and some reporting suggests that it includes Axiom, APT17, and Ke3chang.

One of the group's main objectives is stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.

Some reports suggest that Winnti Group is associated with the infamous ShadowPad backdoor that was inserted in one of the dll's of the NetSarang software in Software Supply Chain Compromise.

In February 2020, Winnti Group was found to target several video gaming companies that are based in South Korea and Taiwan and compromise their build systems to infect gaming binaries and deliver a backdoor to their users.

In June 2020, Winnti Group also shifted to target Red Hat Enterprise, CentOS, and Ubuntu Linux environments systemically across a wide array of industry verticals for the purposes of espionage and intellectual property theft.

Some reporting suggest that the group shifted from signing malware with certificates stolen from video game companies to signing malware with certificates stolen from adware vendors, resulting in very low detection rates.