APT Groups and Operations
Comments
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
Comment only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
APT Groups and Operations
2
TopicComment
3
MotiveCyber security companies and Antivirus vendors use diffferent names for the same threat actors and often refer to the reports and group names of each other. However, it is a difficult task to keep track of the different names and naming schemes. I wanted to create a reference that answers questions like "I read a report about the 'Tsar Team', is there another name for that group?" or "Attackers used 'China Chopper' webshell, which of the APT groups did use that shell too?" or "Did he just say 'NetTraveler'? So, does he talk about Chinese or Russian attackers?"
4
Hints- Each active country / region has its own tab
- The "Other" tab contains actors from certain regions not covered by the main tabs
- The "Unknown" tab is used for groups / operations with no attribution
- Cells with overlaps are highlighted in gray - overlaps are no error per se but necessary to visualize that groups tracked by one vendor are divided into two different groups by another vendor
5
DisclaimerAttribution is a very complex issue. This list is an intent to map together the findings of different vendors and is not a reliable source. Most of the mappings rely on the findings in a single incident analysis. Groups often change their toolsets or exchange them with other groups. This makes attribution of certain operations extremely difficult. However, we decided that even an uncertain mapping is better than no mapping at all. Be aware that information published here may be wrong, quickly outdated, or may change based on evolving information.

People tend to comment on the sheet. Sometimes they add threat intel that isn't TLP:WHITE but taken from some fee-based platform. Please let me know if confidential information has been disclosed.
6
Known Issues- Groups named after the malware (families) they've used
- Groups named after a certain operation
- Lists / tables are not normalized to allow a better overview by avoiding too many spreadsheets
7
OverlapsNames that appear multiple times are shaded in a light grey
8
First Release26.12.2015
9
Last Updatedsee Google Drive Change History
10
LicenseCC Creative Commons - Attribution 4.0 International (CC BY 4.0)
https://creativecommons.org/licenses/by/4.0/
11
Access RightsEveryone: READ / COMMENT
Invited Editors: READ / COMMENT / WRITE
12
SupportPlease contact me (@cyb3rops) if you would like to modify or add content to these lists.
I will gladly give you write access to this list if:
- I know you personally or from my Twitter stream
- you are a threat intel researcher / malware analyst with some reference
- you are a vendor representative
- you are an author of the listed sources (see '_Sources' work sheet)

Please provide you email address if you are interested in helping me (preferably Gmail - this allows native access via the connected Google account)
13
Search Enginehttps://cse.google.com/cse/publicurl?cx=003248445720253387346:turlh5vi4xc
14
Short URLhttp://apt.threattracking.com
15
16
Contributors
17
Name / NicknameTwitter Handle
18
Pasquale Stirparo@pstirparo
19
David Bizeul@davidbizeul
20
Brian Bell@BiebsMalwareGuy
21
Ziv Chang@Gasgas4Ggyy
22
Joel Esler@joelesler
23
Kristopher Bleich@kc0iqx_bleich
24
Maite Moreno@mmorenog
25
Monnappa K A@monnappa22
26
J. Capmany@theweeZ
27
Paul Hutchinson@AllAboutAPT
28
Boris Ivanov@BlackCaesar1973
29
Andre Gironda@andregironda
30
Devon Ackerman@aboutdfir
31
Carlos Fragoso@cfragoso
32
Eyal Sela@eyalsela
33
34
And many helpful people that just commented on cells - thank you!
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...
 
 
 
Home
China
Russia
North Korea
Iran
Israel
Middle East
NATO
Others
Unknown
_Malware
_Download
_Schemes
_Sources