Global Cyberthreat Landscape
Free Group-IB research on attackers' tactics, techniques, procedures, and indicators of compromise
of a JS-sniffer triple threat
Advanced threat actor profiles and research
Online Piracy Research:
Jolly Roger’s patrons
Group-IB exposes financial crime network
of online pirates in developing countries.
of online pirates in developing countries.
Fxmsp: “The invisible god of networks”
The evolution of Fxmsp — one of the most notorious and prolific sellers of access to corporate networks on underground forums. Group-IB researchers analyzed Fxmsp’s activity on underground forums for three years and discovered that the threat actor had compromised networks of more than 130 targets.
Active sinceNovember 2019
AttributionRussian-speaking
Geography of attacksEurope, Latin America, Africa, Asia
Target sectorsFinance sector
Main goalMoney
Attack vectorsPhishing emails with malicious attachments
Xenotime
Xenotime, known for its malware called Triton (aka Trisis), had improved its malware and its new version could be used to attack various industrial safety systems.
Active sinceDecember 2018
AttributionRussian-speaking
Geography of attacksEurope, Asia, Americas
Target sectorsFuel & Energy
Main goalSabotage
Attack vectorsMalware
JS-Sniffers
In-depth analysis and new types of a growing threat — JS‑sniffers — designed to steal payment data.
Active sinceSeptember 2018
Attribution—
Geography of attacksEurope
Target sectorsRetail
Main goalTheft of payment details and other personal data
Attack vectorsMalicious code injected by threat actor into the victim’s website to intercept user’s input
RedCurl
Research of the new espionage APT-group RedCurl and its elaborate attacks on enterprise companies in North America, Europe and CIS.
Active sinceJune 2018
AttributionPresumably russian-speaking
Geography of attacksRussia, Ukraine, Canada, Germany, the United Kingdom, Norway
Target sectorsFinancial, retail, insurance, construction and others
Main goalEspionage, sensitive documents and data theft
Attack vectorsElaborate spear phishing emails targeting specific department
Hexane
HEXANE is a new group targeting the industrial sector. Its members have been active since mid-2018, focusing on the Middle East, Central Asia, and Africa.
Active sinceApril 2018
AttributionMiddle East
Geography of attacksMiddle East, Central Asia, Africa
Target sectorsTelecom, Fuel & Energy
Main goalGaining access to critical infrastructure
Attack vectorsSupply chain attack, spear phishing, password spraying
Chafer
The goal of the group Chafer (aka APT39) is to collect personal data for further user monitoring and tracking operations in support of Iranian national interests.
Active sinceMarch 2018
AttributionIran
Geography of attacksEurope
Target sectorsTelecom
Main goalEspionage
Attack vectorsPhishing emails with malicious attachments
Thrip
The Chinese hacker group Thrip is known for espionage and sabotage attacks. In particular, they target organizations in the satellite communications sector.
Active sinceJanuary 2018
AttributionChina
Geography of attacksSoutheast Asia
Target sectorsTelecom
Main goalEspionage & sabotage
Attack vectorsLiving off the land
Silent Cards
APT group from Kenia targeting regional banks.
Active sinceEnd of 2017
AttributionKenya
Geography of attacksAfrica
Target sectorsFinance
Main goalMoney theft from the banks
Attack vectorsObtaining access to a payment gateway via compromised corporate network
Muddywater
The state-sponsored group MuddyWater gained access to the local network of Korek Telecom, a mobile operator based in Erbil, Iraq.
Active sinceSeptember 2017
AttributionIran
Geography of attacksMiddle East
Target sectorsTelecom
Main goalEspionage
Attack vectorsSupply chain attack, spear phishing
Silence
A comprehensive technical analysis of Silence’s tools, tactics, and evolution. This is the first time Group‑IB’s reports of this kind have been made publicly available.
Active sinceAugust 2017
AttributionRussian-speaking
Geography of attacksEurope, Latin America, Africa, Asia
Target sectorsFinance sector
Main goalMoney theft from the banks
Attack vectorsPhishing emails with malicious attachments
Lazarus
Lazarus group targets the largest international banks as well as central banks in various countries.
Active sinceApril 2017
AttributionNorth Korea
Geography of attacksEurope, Asia, Americas
Target sectorsFinance, Telecom, Fuel & Energy
Main goalMoney theft
Attack vectors Infection through execution of exploits
Winnti
Winnti group has been observed since May 2012. The cybercriminals originate from China. The majority of victims detected to date have been in electronic gaming, multimedia, and Internet content industries, although against technology companies, healthcare and telecom.
Active since2017
AttributionChina
Geography of attacksEurope, Latin America, Africa, Asia
Target sectorsFinance sector
Main goalMoney
Attack vectorsPhishing emails with malicious attachments
LeafMiner
LeafMiner hackers, believed to be based in Iran, use watering hole attacks to infiltrate targeted organizations.
Active sinceJanuary 2017
AttributionIran
Geography of attacksMiddle East
Target sectorsFuel & Energy
Main goalSabotage
Attack vectors“Watering hole” attacks
APT33
In late 2018, APT33 (aka Elfin, Magnallium) resumed its attacks using a new variant of the Shamoon Trojan, targeting oil, gas, telecommunications, and energy companies as well as government organizations.
Active sinceJune 2016
AttributionIran
Geography of attacksMiddle East, Asia, Americas
Target sectorsTelecom, Fuel & Energy
Main goalSabotage, Espionage, Information theft
Attack vectorsSpear phishing email
Cobalt
Learn about Cobalt’s development and modification of tools and tactics which were used to steal approximately 1 billion dollars from over 100 banks in 40 different countries.
Active sinceMay 2016
AttributionRussian-speaking
Geography of attacksEurope, Latin America, Africa, Asia
Target sectorsFinance sector
Main goalMoney
Attack vectorsPhishing emails with malicious attachments
MoneyTaker
This hacker group is noticeable for 1.5 years of silent operations and multiple attacks. They still pose a threat: learn about MoneyTaker techniques and indicators of compromise now.
Active sinceMay 2016
AttributionRussian-speaking
Geography of attacksEurope, Latin America, Africa, Asia
Target sectorsFinance sector
Main goalMoney
Attack vectorsPhishing emails with malicious attachments
UltraRank
New stage in JS-sniffers research. From analyzing malware families to identifying threat actors. For five years, the cybercriminal group UltraRank has conducted campaigns using JS-sniffers and managed to stay unnoticed for the most part.
Active sinceAutumn 2015
AttributionPresumably russian-speaking
Geography of attacksGlobal, except from Russia and CIS
Target sectorsEcommerce
Main goalTheft of bank cards payment data
Attack vectorsVulnerabilities in CMS (like Magento); unpatched software; compromised third party suppliers.
Buhtrap
From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25 mln.
Active sinceMarch 2016
AttributionRussian-speaking
Geography of attacksEurope, Latin America, Africa, Asia
Target sectorsFinance sector
Main goalMoney
Attack vectorsPhishing emails with malicious attachments
Lurk
In February 2015, the group stole 150 million rubles ($2,3 million) from a Russian bank. Members of the criminal group were arrested in May 2016.
Active since2015
AttributionRussian-speaking
Geography of attacksEastern Europe
Target sectorsFinance sector
Main goalMoney theft from the banks
Attack vectorsInfection with the Trojan
Lazarus
Lazarus group targets the largest international banks as well as central banks in various countries.
Active sinceJuly 2014
AttributionNorth Korea
Geography of attacksEurope, Asia, Americas
Target sectorsFinance, Telecom, Fuel & Energy
Main goalMoney theft
Attack vectors Infection through execution of exploits
Corkow
Group-IB annual report on speculative fluctuations of exchange rate and other incidents in 2015 caused by the Trojan program Corkow (Metel).
Active sinceFebruary 2015
AttributionRussian-speaking
Geography of attacksEurope, Latin America, Africa, Asia
Target sectorsFinance sector
Main goalMoney
Attack vectorsPhishing emails with malicious attachments
BlackEnergy
BackEnergy is one of the most advanced energy sector-oriented groups and has caused disruptions in energy organizations more than once.
Active since2014
AttributionRussian-speaking
Geography of attacksEurope, Asia, Americas
Target sectorsFuel & Energy
Main goalSabotage
Attack vectorsPhishing emails with malicious link or attachment
Lazarus
Lazarus group targets the largest international banks as well as central banks in various countries.
Active sinceJanuary 2014
AttributionNorth Korea
Geography of attacksEurope, Asia, Americas
Target sectorsFinance, Telecom, Fuel & Energy
Main goalMoney theft
Attack vectors Infection through execution of exploits
Regin
Regin is a stealthy attack platform that has been used to target organizations across various sectors and countries since at least 2008. It was attributed to US and British intelligence. The malware was reportedly used in attacks targeting EU government networks, telecoms, private companies, and research institutes.
Active sinceJune 2014
AttributionUSA/UK
Geography of attacksEurope, Latin America, Africa, Asia
Target sectorsFinance, Telecom
Main goalEspionage
Attack vectorsPhishing emails with malicious attachments
Dragonfly
The group Dragonfly, believed to be sponsored by Russia, focuses on collecting data from energy and industrial facilities.
Active sinceFebruary 2013
AttributionRussian-speaking
Geography of attacksEurope, Asia, America
Target sectorsFuel & Energy
Main goalEspionage
Attack vectorsPhishing emails and “watering hole” attacks
APT10
Chinese state-sponsored group APT10 conducted the large-scale attack to obtain CDR records belonging to a large telecommunications provider.
Active sinceJanuary 2012
AttributionChina
Geography of attacksAmericas, Europe, Asia
Target sectorsTelecom
Main goal—
Attack vectorsSpear phishing and access to victim’s networks through managed service providers
Anunak
This research includes the findings of Group-IB and Fox‑IT on Anunak (Carbanak) group, which focused its activity on banks and electronic payment systems.
Active sinceDecember 2014
AttributionRussian-speaking
Geography of attacksEurope, Latin America, Africa, Asia
Target sectorsFinance sector
Main goalMoney
Attack vectorsPhishing emails with malicious attachments