- since 2008
- target: aerospace, defense, energy, government, media, and dissidents
- target conventional computers and mobile devices
- employ both phishing messages and credential harvesting using spoofed websites
- primary implant XAgent - ported across multiple operating systems
- proprietary tools and droppers such as X-Tunnel, WinIDS, Foozer and DownRange
- known for registering domains that closely resemble domains legitimate organizations in order to establish phising sites that spoof the look and feel of the victim's web-based email services, with the intention of harvesting their credentials
- adversary operations against US political organizations, European military organizations
- mirrors strategic interests of Russian government, Main Intelligence Department pr GRU
- also linked to German Bundestag and France's TV5 Monde TV station in April 2015
-
Goblin Panda (APT27)
- China based
- first observed in 2013 when Crowdstrike discovered IOAs
-
Ocean Buffalo (APT 32)
-
Helix Kitten (APT34)
-
Wicked Panda (APT 41)