Tracking Adversary Group Activities

Presented by: Ashwin (Microsoft Azure MVP)

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004.

Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Source:

MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this group in chronological order, and how we can work to mitigate or detect these threats.

Presented by: Ashwin (Microsoft Azure MVP)

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.

Source:

MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this group in chronological order, and how we can work to mitigate or detect these threats.

Presented by: Ashwin (Microsoft Azure MVP)

APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security. This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.

Source:

MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this group in chronological order, and how we can work to mitigate or detect these threats.

Presented by: Ashwin (Microsoft Azure MVP)

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.

Source:

MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this group in chronological order, and how we can work to mitigate or detect these threats.

Presented by: Ashwin (Microsoft Azure MVP)

APT-C-36 is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.

Source:

MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this group in chronological order, and how we can work to mitigate or detect these threats.

Presented by: Ashwin (Microsoft Azure MVP)

APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.

Source:

MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this group in chronological order, and how we can work to mitigate or detect these threats.

Presented by: Ashwin (Microsoft Azure MVP)

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.

Source:

MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this group in chronological order, and how we can work to mitigate or detect these threats.

Presented by: Ashwin (Microsoft Azure MVP)

APT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.

Source:

MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this group in chronological order, and how we can work to mitigate or detect these threats.

Presented by: Ashwin (Microsoft Azure MVP)

APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.

Source:

MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this group in chronological order, and how we can work to mitigate or detect these threats.

Presented by: Ashwin (Microsoft Azure MVP)

APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.

Source:

MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this group in chronological order, and how we can work to mitigate or detect these threats.

Presented by: Ashwin (Microsoft Azure MVP)

APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical.

Source:

MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this group in chronological order, and how we can work to mitigate or detect these threats.

Presented by: Ashwin (Microsoft Azure MVP)

APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same.

Source:

MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this group in chronological order, and how we can work to mitigate or detect these threats.

Presented by: Ashwin (Microsoft Azure MVP)

APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.

Source:

MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this group in chronological order, and how we can work to mitigate or detect these threats.

Presented by: Ashwin (Microsoft Azure MVP)

APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.

Source:

MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this group in chronological order, and how we can work to mitigate or detect these threats.

Presented by: Ashwin (Microsoft Azure MVP)

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.

Source:

MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this group in chronological order, and how we can work to mitigate or detect these threats.

Presented by: Ashwin (Microsoft Azure MVP)

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau. Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Source:

MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this group in chronological order, and how we can work to mitigate or detect these threats.

Presented by: Ashwin (Microsoft Azure MVP)

APT39 is one of several names for cyberespionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.

Source:

MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this group in chronological order, and how we can work to mitigate or detect these threats.