Names | Snowglobe (CSEC) Animal Farm (Kaspersky) SIG20 (NSA) ATK 8 (Thales) | |
Country | France | |
Sponsor | State-sponsored | |
Motivation | Information theft and espionage | |
First seen | 2011 | |
Description | (GData) The revelation about the existence of yet another potentially nation-state driven spyware occurred in March 2014 when Le Monde first published information about top secret slides originating from 2011 and part of their content. But the slides Le Monde published revealed only a small part of the picture – several slides were cut out, some information was redacted. Germany’s Der Spiegel re-published the slide set with far less deletions recently, in January 2015, and therefore gave a deeper insight about what CSEC actually says they have tracked down. The newly published documents reveal: the so called operation SNOWGLOBE, was discovered in 2009 (slide 9) and consists of three different “implants”, two were dubbed snowballs and one “more sophisticated implant, discovered in mid-2010” is tagged as snowman (slide 7). According to slide 22, “CSEC assesses, with moderate certainty, SNOWGLOBE to be a state-sponsored CNO [Cyber Network Operation] effort, put forth by a French intelligence agency.” The information given dates back to 2011 and nothing else has been published since. Now that specific Babar samples have been identified and analyzed, there might be new information, also with regards to similarities or differences between the two Remote Administration Tools (RATs) EvilBunny and Babar. | |
Observed | Sectors: Defense, Government, Media and private sectors. Countries: Algeria, Austria, China, Congo, Cote d'Ivoire, Germany, Greece, Iran, Iraq, Israel, Malaysia, Morocco, Netherlands, New Zealand, Norway, Russia, Spain, Syria, Turkey, UK, Ukraine, USA. | |
Tools used | Babar, Casper, Dino, EvilBunny, Tafacalou, Nbot, Chocopop. | |
Information | <https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope> <https://resources.infosecinstitute.com/animal-farm-apt-and-the-shadow-of-france-intelligence/> <https://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/> |
Last change to this card: 24 April 2020
Download this actor card in PDF or JSON format
Previous: Snake Wine
Next: Sofacy, APT 28, Fancy Bear, Sednit
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |