General Information How to Search in this Spreadsheet?
Topic Comment
Motive Cyber security companies and Antivirus vendors use different names for the same threat actors and often refer to the reports and group names of each other. However, it is a difficult task to keep track of the different names and naming schemes. I wanted to create a reference that answers questions like "I read a report about the 'Tsar Team', is there another name for that group?" or "Attackers used 'China Chopper' webshell, which of the APT groups did use that shell too?" or "Did he just say 'NetTraveler'? So, does he talk about Chinese or Russian attackers?" 1. Step Use Ctrl+F / Command+F to bring up the search field, then click on the dotted vectical line next to the "X"
Hints - Each active country / region has its own tab - The "Other" tab contains actors from certain regions not covered by the main tabs - The "Unknown" tab is used for groups and operations with no attribution - Cells with overlaps are highlighted in gray - overlaps are no error per se but necessary to visualize that groups tracked by one vendor are divided into two different groups by another vendor 2. Step Type the keyword you search for in the "Find" field and click on the "Find" button or press Enter. This will search the keyword in all tabs of the spreadsheet.
Disclaimer Attribution is a very complex issue. This list is an intent to map together the findings of different vendors and is not a reliable source. Most of the mappings rely on the findings in a single incident analysis. Groups often change their toolsets or exchange them with other groups. This makes attribution of certain operations extremely difficult. However, we decided that even an uncertain mapping is better than no mapping at all. Be aware that information published here may be wrong, quickly outdated, or may change based on evolving information. People tend to comment on the sheet. Sometimes they add threat intel that isn't TLP:WHITE but taken from some fee-based platform. Please let me know if confidential information has been disclosed.
Known Issues - Groups named after the malware (families) they've used - Groups named after a certain operation - Lists / tables are not normalized to allow a better overview by avoiding too many spreadsheets - Some groups have now been discovered to be "umbrella" terms for sub-groups. (e.g. Lazarus has subgroups; Winnti's "Burning Umbrella" report )
Search Press CTRL+F or Command+F and then use the Symbol with the three dots to bring up the search dialogue that looks in the full workbook for your keywords
Overlaps Names that appear multiple times are shaded in a light grey
First Release 12/26/2015
License CC Creative Commons - Attribution 4.0 International (CC BY 4.0) https://creativecommons.org/licenses/by/4.0/
Access Rights Everyone: READ / COMMENT Invited Editors: READ / COMMENT / WRITE
Support Please contact me (@cyb3rops) if you would like to modify or add content to these lists. I will gladly give you write access to this list if: - I know you personally or from my Twitter stream - you are a threat intel researcher / malware analyst with some reference - you are a vendor representative - you are an author of the listed sources (see '_Sources' work sheet) Please provide you email address if you are interested in helping me (preferably Gmail - this allows native access via the connected Google account)
Search Engine https://cse.google.com/cse/publicurl?cx=003248445720253387346:turlh5vi4xc
Short URL https://apt.threattracking.com
Contributors
Name / Nickname Twitter Handle
Pasquale Stirparo @pstirparo
David Bizeul @davidbizeul
Brian Bell No Twitter Account
Ziv Chang @Gasgas4Ggyy
Joel Esler @joelesler
Kristopher Bleich @kc0iqx_bleich
Maite Moreno @mmorenog
Monnappa K A @monnappa22
J. Capmany @theweeZ
Paul Hutchinson @AllAboutAPT
Boris Ivanov @BlackCaesar1973
Andre Gironda @andregironda
Devon Ackerman @aboutdfir
Carlos Fragoso @cfragoso
Eyal Sela @eyalsela
Florian Egloff @egflo
Ohad Zaidenberg @ohad_mz
Gary Warner @GarWarner
Efi Pecani @Excited_Efi
And many helpful people that just commented on cells - thank you!