Welcome to the portal version of our book "Threat Group Cards: A Threat Actor Encyclopedia", a free PDF we first published in 2019 on the ThaiCERT brand and that can still be downloaded here (8 July 2020, outdated now).
When analyzing security incidents we always face the question which adversary we are possibly dealing with and what we know about their prior engagements and TTP, to get a better understanding of how to approach and what else to look for.
This portal aims to create full profiles of all threat groups worldwide that have been identified with all research generously shared by anti-virus and security research organizations over the years. It can be used as “threat group cards”, as the portal title suggests, to have everything together in an elaborate profile for each threat group. All dates shown in the cards are the dates when the stated activities started, not necessarily when the reports about them came out.
All information in this portal comes from public sources (OSINT). The difficult part of attributing campaigns to actors has been done by those security research organizations as well. What makes this difficult is the fact that there may be some overlap between threat groups, where they share tools or people move between groups, or when groups suddenly change tactics or type of target.
Not all groups have been publicly documented as well as others; most groups have remained rather obscure and, of course, not all individual campaigns resulted in public knowledge – targeted companies usually don’t welcome such exposure.ETDA has a strictly neutral role and everything collected in this portal does in no way signify specific endorsements, placing blame on countries or taking sides.
With that said, compiling this data has been a tremendously interesting journey into the dark world of cybercrime and the groups associated with it.
MISP users can also obtain the data in MISP galaxy/cluster format that can directly be imported in your system as described in the MISP manual at section <https://www.circl.lu/doc/misp/galaxy/>:
Put the following 2 portal generated files in <misp-instance>/app/files/misp-galaxy/clusters
and the following 2 fixed files in <misp-instance>/app/files/misp-galaxy/galaxies
After installing the files, activate them in the MISP portal with menu option “Galaxies” → “List Galaxies” and then choosing option “Update Galaxies”.
The following excellent sources have been consulted to compile this encyclopedia:
This encyclopedia has been developed to catalog all known important adversaries to information security, with the aim to get a better understanding of international threats and to aid in faster response to future incidents. The content is based on the public knowledge of the security community and not solely the view of ETDA. It may not necessarily represent state-of-the-art and it might be updated from time to time.
Third party sources are quoted as appropriate. ETDA is not responsible for the content of the external sources, including external websites, nor their continued availability, referenced in this encyclopedia.
Where specific vendors or product names are given, those do not mean endorsement from ETDA, but serve to document history only.
This encyclopedia is intended for educational and information purposes only. Neither ETDA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this encyclopedia. All information contained herein is provided on an “As Is” basis with no warranty whatsoever. ETDA does not promise any specific result, effects or outcome from the use of the information herein.
This encyclopedia is published under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright © Electronic Transactions Development Agency, 2019-2024
ETDA express our sincere gratitude to the various CERT teams and security research organizations who peer-reviewed the data and provided valuable input and feedback. We are also very grateful for the security researchers who published so many and so detailed reports, as well as, indirectly, all the volunteers who contributed to the projects we could consult.
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |