Property:Has description

From attackics
Jump to navigation Jump to search

This is a property of type String.

Showing 20 pages using this property.
G
[[Group/G0009|ALLANITE]] is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Group/G0002|Dragonfly]]</span></span></span></span> / <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Group/G0006|Dragonfly 2.0]]</span></span></span></span>, although [[Group/G0009|ALLANITE]]’s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence.[[CiteRef::Reference - Dragos - Allanite]]  +
[[Group/G0003|APT33]] is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.[[CiteRef::EAttack APT33]]  +
[[Group/G0006|Dragonfly 2.0]] is a suspected Russian threat group that has targeted government entities and multiple U.S. critical infrastructure sectors and parts of the energy sector within Turkey and Switzerland since at least December 2015. [[CiteRef::Dragonfly 2.0 - Symantec]] There is debate over the extent of overlap between [[Group/G0006|Dragonfly 2.0]] and <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Group/G0002|Dragonfly]]</span></span></span></span>, but there is sufficient evidence to lead to those being tracked as two separate groups.[[CiteRef::Dragonfly 2.0 - fortune - 201709]]  +
[[Group/G0002|Dragonfly]] is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems.[[CiteRef::EAttack Dragonfly]] A similar group emerged in 2015 and was identified by Symantec as <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Group/G0006|Dragonfly 2.0]]</span></span></span></span>. There is debate over the extent of the overlap between [[Group/G0002|Dragonfly]] and <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Group/G0006|Dragonfly 2.0]]</span></span></span></span>, but there is sufficient evidence to lead to these being tracked as two separate groups.[[CiteRef::EAttack Dragonfly]]  +
[[Group/G0005|HEXANE]] is a threat group that has targeted ICS organization within the oil & gas, and telecommunications sectors. Many of the targeted organizations have been located in the Middle East including Kuwait. [[Group/G0005|HEXANE]]'s targeting of telecommunications has been speculated to be part of an effort to establish man-in-the-middle capabilities throughout the region. [[Group/G0005|HEXANE]]'s TTPs appear similar to <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Group/G0003|APT33]]</span></span></span></span> and <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Group/G0010|OilRig]]</span></span></span></span> but due to differences in victims and tools it is tracked as a separate entity.[[CiteRef::Reference - Dragos - Hexane]]  +
[[Group/G0008|Lazarus group]] is a suspected North Korean adversary group that has targeted networks associated with civilian electric energy in Europe, East Asia, and North America.[[CiteRef::Covellite - CISA Hidden Cobra]][[CiteRef::Reference - Dragos - Covellite]] Links have been established associating this group with the <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Software/S0007|WannaCry]]</span></span></span></span> ransomware from 2017.[[CiteRef::Covellite - Alert TA17-132A]] While <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Software/S0007|WannaCry]]</span></span></span></span> was not an ICS focused attack, Lazarus group is considered to be a threat to ICS. North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.[[CiteRef::Covellite - CISA Hidden Cobra]] Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.  +
[[Group/G0010|OilRig]] is a suspected Iranian threat group that has targeted the financial, government, energy, chemical, and telecommunication sectors as well as petrochemical, oil & gas.[[CiteRef::Chrysene - Fireeye APT 34]][[CiteRef::Chrysene - Fireeye - 201712]][[CiteRef::Reference - Dragos - Chrysene]] [[Group/G0010|OilRig]] has been observed operating in Iraq, Pakistan, Israel, and the UK, and has been linked to the Shamoon attacks in 2012 on Saudi Aramco.  +
[[Group/G0007|Sandworm Team]] is a destructive threat group that has been attributed to Russian GRU Unit 74455.[[CiteRef::Sandworm – DOJ Indictment]] [[Group/G0007|Sandworm Team]]’s most notable attacks include the 2015 and 2016 targeting of Ukrainian electrical sector and the 2017 <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Software/S0006|NotPetya]]</span></span></span></span> attacks. [[CiteRef::Reference - Dragos - Electrum]][[CiteRef::Industroyer - ESET - 201706]] [[Group/G0007|Sandworm Team]] has been active since at least 2009 and has been linked to <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Software/S0001|Industroyer]]</span></span></span></span>, <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Software/S0004|BlackEnergy 3]]</span></span></span></span>, and <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Software/S0016|KillDisk]]</span></span></span></span> malware.[[CiteRef::Sandworm – DOJ Indictment]][[CiteRef::Industroyer - Dragos - 201706]]  +
[[Group/G0001|XENOTIME]] is a threat group that has targeted and compromised industrial systems, specifically safety instrumented systems that are designed to provide safety and protective functions. Xenotime has previously targeted oil & gas, as well as electric sectors within the Middle east, Europe, and North America. Xenotime has also been reported to target ICS vendors, manufacturers, and organizations in the middle east. This group is one of the few with reported destructive capabilities.[[CiteRef::Reference - Dragos - Xenotime]]  +
S
[[Software/S0018|ACAD/Medre.A]] is a worm that steals operational information. The worm collects AutoCAD files with drawings. [[Software/S0018|ACAD/Medre.A]] has the capability to be used for industrial espionage.[[CiteRef::ACAD - ESET]]  +
[[Software/S0003|Backdoor.Oldrea]] is a Remote Access Trojan (RAT) that communicates with a Command and Control (C2) server. The C2 server can deploy payloads that provide additional functionality. One payload has been identified and analyzed that enumerates all connected network resources, such as computers or shared resources, and uses the classic DCOM-based (Distributed Component Object Model) version of the Open Platform Communications (OPC) standard to gather information about connected control system devices and resources within the network.[[CiteRef::Havex - ICS-CERT - Advisory]][[CiteRef::Havex - ICS-CERT - Alert]][[CiteRef::Havex - F-Secure]][[CiteRef::Havex - WWU]][[CiteRef::Havex - Fireeye - 201407]][[CiteRef::Havex - Symantec - 201406]][[CiteRef::Havex - Video S4x15]][[CiteRef::Havex - SANS - 201601]]  +
[[Software/S0005|Bad Rabbit]] is a self-propagating (“wormable”) ransomware that affected the transportation sector in Ukraine.[[CiteRef::Bad Rabbit - ESET - 201724]]  +
[[Software/S0004|BlackEnergy 3]] is a malware toolkit that has been used by both criminal and APT actors. It support various plug-ins including a variant of <span class="smw-format list-format "><span class="smw-row"><span class="smw-field"><span class="smw-value">[[Software/S0016|KillDisk]]</span></span></span></span>. It is known to have been used against the Ukrainian power grid.[[CiteRef::BlackEnergy - Booz Allen Hamilton]]  +
[[Software/S0012|Conficker]] is a computer worm that targets Microsoft Windows and was first detected in November 2008. It targets a vulnerability (MS08-067) in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet. [[Software/S0012|Conficker]] made its way onto computers and removable disk drives in a nuclear power plant.[[CiteRef:: KGG-Softpedia]]  +
[[Software/S0014|Duqu]] is a collection of computer malware discovered in 2011. It is reportedly related to the [[Software/S0010|Stuxnet]] worm, although [[Software/S0014|Duqu]] is not self-replicating.[[CiteRef::Duqu - Symantec - 201123]]  +
[[Software/S0017|EKANS]] is ransomware that was first seen December 2019 and later reported to have impacted operations at Honda automotive production facilities.[[CiteRef::EKANS – forbes – honda]][[CiteRef::EKANS – Malwarebytes – honda]][[CiteRef::EKANS – Dragos]] EKANS has a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy historian, Honeywell HMIWeb).[[CiteRef::EKANS – Dragos]] If the malware discovers these processes on the target system, it will stop, encrypt, and rename the process to prevent the program from restarting. This malware should not be confused with the “Snake” malware associated with the [https://attack.mitre.org/groups/G0010/ Turla group]. The ICS processes documented within the malware’s kill-list is similar to those defined by the MEGACORTEXT software.[[CiteRef::EKANS – Fireeye financial]][[CiteRef::EKANS – pylos]][[CiteRef::EKANS – dragos misconceptions]] The ransomware was initially reported as “Snake”, however, to avoid confusion with the unrelated [https://attack.mitre.org/groups/G0010/ Turla APT group] security researchers spelled it backwards as EKANS.  +
[[Software/S0015|Flame]] is an attacker-instructed worm which may open a backdoor and steal information from a compromised computer. [[Software/S0015|Flame]] has the capability to be used for industrial espionage.[[CiteRef::Flame - Symantec - 201911]]  +
[[Software/S0001|Industroyer]] is a sophisticated piece of malware designed to cause an [[Impact]] to the working processes of Industrial Control Systems (ICS), specifically ICSs used in electrical substations.[[CiteRef::Industroyer - ESET - 201706]] [[Software/S0001|Industroyer]] was alleged to be used in the attacks on the Ukrainian power grid in December 2016.[[CiteRef::Industroyer - Dragos - 201706]][[CiteRef::Industroyer - CISA Alert TA17-163A - 201706]][[CiteRef::Industroyer - Dragos - 201810]][[CiteRef::Industroyer - Dragos - 201908]]  +
In 2015 the BlackEnergy malware contained a component called [[Software/S0016|KillDisk]]. [[Software/S0016|KillDisk]]'s main functionality is to overwrite files with random data, rendering the OS unbootable.[[CiteRef::Ukraine15 - ESET - 201601]]  +
[[Software/S0008|LockerGoga]] is ransomware that has been tied to various attacks on industrial and manufacturing firms with apparently catastrophic consequences.[[CiteRef::LockerGoga - Wired - 201903]][[CiteRef::LockerGoga - DoublePulsar]][[CiteRef::LockerGoga - Hydro]]  +