User Tools

Site Tools


Advanced persistent threats

Name Originated from Related to Impact
Buckeye The U.S., then adopted and adapted by Shadow Brokers Windows zero day was exploited by Buckeye alongside Equation Group tools during 2016 attacks. Exploit and tools continued to be used after Buckeye's apparent disappearance in 2017. The purpose of all the attacks was to acquire a persistent presence on the victim’s network, meaning information theft was the most likely motive of the attacks, targeting individuals and institutions globally. Sofar, attacks have been recorded in Hong Kong, Belgium, Luxembourg, Philippines, and Vietnam.
Dark Caracal Dark Caracal may be administering its tooling out of the headquarters of the General Directorate of General Security (GDGS) in Beirut, Lebanon. Dark Caracal is using the same infrastructure as was previously seen in the Operation Manul campaign, which targeted journalists, lawyers, and dissidents critical of the government of Kazakhstan. Dark Caracal has been conducting a multi-platform, APT-level surveillance operation targeting individuals and institutions globally.
Operation Manul Operation Manul was most likely carried out on behalf of the government of Kazakhstan. EFF research suggests links between this campaign and other campaigns that have been attributed to an Indian security company called Appin Security Group. There may also be possible links between this campaign and Arcanum Global Intelligence, a private intelligence company with headquarters in Zurich. Operation Manul targeted journalists, dissidents living in Europe, their family members, known associates, and their lawyers.
CloudAtlas alias Inception Kaspersky researchers believe that whoever was behind RedOctober has made a “classy return” with Cloud Atlas. Looks like RedOctober Executives from oil, finance and engineering, military officers, embassy personnel and government officials from Russia and other Eastern European countries, Romania, Venezuela, and Mozambique.
Flame Flame is linked to the Equation Group by Kaspersky Lab. There is probably a strong relationship between Flame and Stuxnet Flame appears to have been written purely for espionage. It does not appear to target a particular industry, but rather is a complete attack toolkit designed for general cyber-espionage purposes.
Duqu Probably the creation of Unit 8200 It seems to be related to Stuxnet, but was designed to gather industrial information rather than to interfere with industrial operations. Reappeared in 2015 as Duqu 2.0. Duqu 2.0, alleged to be the most sophisticated computer virus ever developed, compromised Kaspersky Lab in 2014. Duqu 2.0 used at least three zero-day exploits. The virus remained for months on Kaspersky Lab's systems, undetected by them. Aside from targeting Kaspersky, it was used to spy on the negotiations for the Iran Nuclear Deal.
Stuxnet Despite both governments never officially acknowledging developing Stuxnet, it is widely accepted that it was created by the intelligence agencies of the United States and Israel in a classified program named “Operation Olympic Games”. A November 2013 article in Foreign Policy magazine claims existence of an earlier, much more sophisticated attack on the centrifuge complex at Natanz. It is not clear whether this attack attempt was successful, but it being followed by a different, simpler and more conventional attack could be indicative. Stuxnet was meant to attack only Siemens SCADA systems of Iran's nuclear power program, now serves as a template for real-world intrusion and service disruption of power grids, water supplies or public transportation systems. The gift that keeps giving.

en/research/stories/apt/start.txt · Last modified: 2019/05/17 11:24 by Digital Dot