2019-2020年度APT黑客组织被揭露过的网络攻击

APT高级持续性威胁是一种发动复杂攻击手段达到窃取敏感信息而且不被发现的攻击形式，APT黑客组织攻击的目标包括政府，国防，金融服务，法律服务，工业，电信，消费品等等行业的单位与企业。

采用目标侦擦，渗透测试，绕过安全机制和窃取信息等不同阶段实施APT攻击。经验丰富的网络犯罪分子们花费大量时间对一个特定目标进行持久化渗透测试，获得访问权限。也有一定能力可以开发定制版恶意程序绕过杀毒软件查杀与网络入侵检测。

2019年的APT攻击

一月

1	Jan/16	Latest Target Attack of DarkHydruns Group Against Middle East
2	Jan/17	Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud Security Products
3	Jan/18	DarkHydrus delivers new Trojan that can use Google Drive for C2 communications
4	Jan/24	GandCrab and Ursnif Campaign
5	Jan/30	Targeted Campaign delivers Orcus Remote Access Trojan
6	Jan/30	Double Life of SectorA05 Nesting in Agora
7	Jan/30	Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities

二月

1	Feb/01	Tracking OceanLotus’ new Downloader, KerrDown
2	Feb/05	Analyzing Digital Quartermasters in Asia – Do Chinese and Indian APTs Have a Shared Supply Chain
3	Feb/06	APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign
4	Feb/14	Suspected Molerats’ New Attack in the Middle East
5	Feb/18	APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations
6	Feb/20	IT IS IDENTIFIED ATTACKS OF THE CIBERCRIMINAL LAZARUS GROUP DIRECTED TO ORGANIZATIONS IN RUSSIA
7	Feb/25	Defeating Compiler Level Obfuscations Used in APT10 Malware
8	Feb/26	The Arsenal Behind the Australian Parliament Hack
9	Feb/27	A Peek into BRONZE UNION’s Toolbox

三月

1	Mar/04	APT40: Examining a China-Nexus Espionage Actor
2	Mar/06	Whitefly: Espionage Group has Singapore in Its Sights
3	Mar/06	Targeted attack using Taidoor Analysis report
4	Mar/06	Operation Pistacchietto
5	Mar/07	New SLUB Backdoor Uses GitHub, Communicates via Slack
6	Mar/08	Supply Chain – The Major Target of Cyberespionage Groups
7	Mar/11	Gaming industry still in the scope of attackers in Asia
8	Mar/12	Operation Comando: How to Run a Cheap and Effective Credit Card Business
9	Mar/13	Operation Sheep: Pilfer-Analytics SDK in Action
10	Mar/13	‘DMSniff’ POS Malware Actively Leveraged to Target Small-, Medium-Sized Businesses
11	Mar/13	GlitchPOS: New PoS malware for sale
12	Mar/13	LUCKY ELEPHANT CAMPAIGN MASQUERADING
13	Mar/22	Operation ShadowHammer
14	Mar/25	Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
15	Mar/27	Threat Actor Group using UAC Bypass Module to run BAT File
16	Mar/28	Above Us Only Stars: Exposing GPS Spoofing in Russia and Syria
17	Mar/28	Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole

四月

1	Apr/02	OceanLotus Steganography
2	Apr/10	Gaza Cybergang Group1, operation SneakyPastes
3	Apr/10	Project TajMahal – a sophisticated new APT framework
4	Apr/10	The Muddy Waters of APT Attacks
5	Apr/17	DNS Hijacking Abuses Trust In Core Internet Service
6	Apr/17	Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign
7	Apr/19	“Funky malware format” found in Ocean Lotus sample
8	Apr/22	FINTEAM: Trojanized TeamViewer Against Government Targets
9	Apr/23	Operation ShadowHammer: a high-profile supply chain attack
10	Apr/24	[legit remote admin tools turn into threat actors’ tools](https://e.cyberint.com/hubfs/Report Legit Remote Access Tools Turn Into Threat Actors Tools/CyberInt_Legit Remote Access Tools Turn Into Threat Actors' Tools_Report.pdf)
11	Apr/30	SectorB06 using Mongolian language in lure document

五月

1	May/03	Who’s who in the Zoo Cyberespionage operation targets Android users in the Middle East
2	May/07	Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak
3	May/07	Turla LightNeuron: An email too far
4	May/07	ATMitch: New Evidence Spotted In The Wild
5	May/08	OceanLotus’ Attacks to Indochinese Peninsula: Evolution of Targets, Techniques and Procedure
6	May/08	FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
7	May/09	Iranian Nation-State APT Groups – “Black Box” Leak
8	May/11	Chinese Actor APT target Ministry of Justice Vietnamese
9	May/13	ScarCruft continues to evolve, introduces Bluetooth harvester
10	May/15	Winnti: More than just Windows and Gates
11	May/18	Operation_BlackLion
12	May/19	HiddenWasp Malware Stings Targeted Linux Systems
13	May/22	A journey to Zebrocy land
14	May/24	UNCOVERING NEW ACTIVITY BY APT10
15	May/27	APT-C-38
16	May/28	Emissary Panda Attacks Middle East Government Sharepoint Servers
17	May/29	TA505 is Expanding its Operations
18	May/29	A dive into Turla PowerShell usage
19	May/30	10 years of virtual dynamite: A high-level retrospective of ATM malware

六月

1	June/03	Zebrocy’s Multilanguage Malware Salad
2	June/04	An APT Blueprint: Gaining New Visibility into Financial Threats
3	June/05	Scattered Canary The Evolution and Inner Workings of a West African Cybercriminal Startup Turned BEC Enterprise
4	June/10	MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools
5	June/11	The Discovery of Fishwrap: A New Social Media Information Operation Methodology
6	June/12	[Threat Group Cards: A Threat Actor Encyclopedia](https://www.dropbox.com/s/ds0ra0c8odwsv3m/Threat Group Cards.pdf?dl)
7	June/20	New Approaches Utilized by OceanLotus to Target An Environmental Group in Vietnam
8	June/21	Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments
9	June/25	OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS
10	June/25	Analysis of MuddyC3, a New Weapon Used by MuddyWater
11	June/26	Iranian Threat Actor Amasses Large Cyber Operations Infrastructure Network to Target Saudi Organizations

七月

1	Jul/01	Threat Spotlight: Ratsnif – New Network Vermin from OceanLotus
2	Jul/03	Operation Tripoli
3	Jul/04	Multiple Chinese Threat Groups Exploiting CVE-2018-0798 Equation Editor Vulnerability Since Late 2018
4	Jul/04	Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi
5	Jul/09	Twas the night before
6	Jul/11	Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques
7	Jul/15	Buhtrap group uses zero‑day in latest espionage campaigns
8	Jul/16	SWEED: Exposing years of Agent Tesla campaigns
9	Jul/17	SLUB Gets Rid of GitHub, Intensifies Slack Use
10	Jul/18	EvilGnome: Rare Malware Spying on Linux Desktop Users
11	Jul/18	OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY
12	Jul/18	Spam Campaign Targets Colombian Entities with Custom-made ‘Proyecto RAT,’ Uses Email Service YOPmail for C&C
13	Jul/20	Hard Pass: Declining APT34’s Invite to Join Their Professional Network
14	Jul/24	Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
15	Jul/24	Attacking the Heart of the German Industry

八月

1	Aug/01	Analysis of the Attack of Mobile Devices by OceanLotus
2	Aug/05	Sharpening the Machete
3	Aug/05	Latest Trickbot Campaign Delivered via Highly Obfuscated JS File
4	Aug/07	APT41: A Dual Espionage and Cyber Crime Operation
5	Aug/08	Suspected BITTER APT Continues Targeting Government of China and Chinese Organizations
6	Aug/12	Recent Cloud Atlas activity
7	Aug/14	In the Balkans, businesses are under fire from a double‑barreled weapon
8	Aug/20	[Malware analysis about unknown Chinese APT campaign](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Unknown/20-08-19/Malware analysis 20-08-19.md)
9	Aug/21	Silence 2.0
10	Aug/21	The Gamaredon Group: A TTP Profile Analysis
11	Aug/26	APT-C-09 Reappeared as Conflict Intensified Between India and Pakistan
12	Aug/27	TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
13	Aug/27	China Chopper still active 9 years later
14	Aug/27	LYCEUM Takes Center Stage in Middle East Campaign
15	Aug/27	[Malware analysis about sample of APT Patchwork](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Indian/APT/Patchwork/27-08-19/Malware analysis 27-08-19.md)
16	Aug/29	SectorJ04 Group’s Increased Activity in 2019
17	Aug/29	More_eggs, Anyone? Threat Actor ITG08 Strikes Again
18	Aug/29	[Tick Tock – Activities of the Tick Cyber Espionage Group in East Asia Over the Last 10 Years](https://gsec.hitb.org/materials/sg2019/D1 COMMSEC - Tick Group - Activities Of The Tick Cyber Espionage Group In East Asia Over The Last 10 Years - Cha Minseok.pdf)
19	Aug/30	‘Heatstroke’ Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information
20	Aug/31	[Malware analysis on Bitter APT campaign](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md)

九月

1	Sep/04	Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions
2	Sep/05	UPSynergy: Chinese-American Spy vs. Spy Story
3	Sep/06	BITTER APT: Not So Sweet
4	Sep/09	Thrip: Ambitious Attacks Against High Level Targets Continue
5	Sep/11	RANCOR APT: Suspected targeted attacks against South East Asia
6	Sep/15	The Kittens Are Back in Town Charming Kitten Campaign Against Academic Researchers
7	Sep/18	Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks
8	Sep/24	Mapping the connections inside Russia’s APT Ecosystem
9	Sep/24	How Tortoiseshell created a fake veteran hiring website to host malware
10	Sep/24	DeadlyKiss APT
11	Sep/26	Chinese APT Hackers Attack Windows Users via FakeNarrator Malware to Implant PcShare Backdoor
12	Sep/30	HELO Winnti: Attack or Scan?

十月

1	Oct/01	New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign
2	Oct/01	New Adwind Campaign targets US Petroleum Industry
3	Oct/03	PKPLUG: Chinese Cyber Espionage Group Attacking Asia
4	Oct/04	GEOST BOTNET. THE STORY OF THE DISCOVERY OF A NEW ANDROID BANKING TROJAN FROM AN OPSEC ERROR
5	Oct/07	China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations
6	Oct/07	The Kittens Are Back in Town 2 – Charming Kitten Campaign Keeps Going on, Using New Impersonation Methods
7	Oct/07	Supply chain attacks: threats targeting service providers and design offices
8	Oct/10	Attor, a spy platform with curious GSM fingerprinting
9	Oct/10	CONNECTING THE DOTS Exposing the arsenal and methods of the Winnti Group
10	Oct/10	Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques
11	Oct/14	HUGE FAN OF YOUR WORK: TURBINE PANDA
12	Oct/14	From tweet to rootkit
13	Oct/15	LOWKEY: Hunting for the Missing Volume Serial ID
14	Oct/17	Operation Ghost: The Dukes aren’t back – they never left
15	Oct/21	Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor
16	Oct/31	MESSAGETAP: Who’s Reading Your Text Messages?

十一月

1	Nov/01	Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium
2	Nov/04	Higaisa APT
3	Nov/05	THE LAZARUS’ GAZE TO THE WORLD: WHAT IS BEHIND THE FIRST STONE ?
4	Nov/08	Titanium: the Platinum group strikes again
5	Nov/13	More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
6	Nov/20	Mac Backdoor Linked to Lazarus Targets Korean Users
7	Nov/20	Golden Eagle (APT-C-34)
8	Nov/25	Studying Donot Team
9	Nov/26	Insights from one year of tracking a polymorphic threat: Dexphot
10	Nov/28	RevengeHotels: cybercrime targeting hotel front desks worldwide
11	Nov/29	Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK

十二月

1	Dec/03	Threat Actor Targeting Hong Kong Pro-Democracy Figures
2	Dec/04	Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
3	Dec/04	New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East
4	Dec/11	Waterbear is Back, Uses API Hooking to Evade Security Product Detection
5	Dec/12	Operation Gamework: Infrastructure Overlaps Found Between BlueAlpha and Iranian APTs
6	Dec/12	GALLIUM: Targeting global telecom
7	Dec/12	Drilling Deep: A Look at Cyberattacks on the Oil and Gas Industry

2020攻击列表

一月

1	Jan/01	[WeiXin] Pakistan Sidewinder APT Attack
2	Jan/06	First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT
3	Jan/07	[Destructive Attack: DUSTMAN](https://github.com/blackorbird/APT_REPORT/blob/master/International Strategic/Iran/Saudi-Arabia-CNA-report.pdf)
4	Jan/07	Iranian Cyber Response to Death of IRGC Head Would Likely Use Reported TTPs and Previous Access
5	Jan/08	Operation AppleJeus Sequel
6	Jan/09	The State of Threats to Electric Entities in North America
7	Jan/13	APT27 ZxShell RootKit module updates
8	Jan/13	Reviving MuddyC3 Used by MuddyWater (IRAN) APT
9	Jan/16	JhoneRAT: Cloud based python RAT targeting Middle Eastern countries
10	Jan/31	Winnti Group targeting universities in Hong Kong

二月

1	Feb/03	Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations
2	Feb/10	Outlaw Updates Kit to Kill Older Miner Versions, Targets More Systems

列出的是2019-2020年的APT攻击，之后还会根据报告的新攻击不断更新列表。

引用

https://cybersecuritynews.com/apt-attack/