Hacker groups are a very real threat today. And we are not talking about amateur hackers, but about serious, professional hacker groups working for the governments of different countries. These groups, funded by their states, have the ability to infiltrate the networks of the media, the networks of large corporations, military departments, governments. Infiltrate, and wreak havoc.
The situation is so serious that it is already called the "new cold war", and this war is truly global, although not everyone sees it. But very little time will pass, and cyberattacks will be regarded as real military actions.
1. "Syrian Electronic Army" (Syria)
For the first time, the world heard about the "Syrian electronic army" in 2011. The group is mainly composed of students from Syrian universities who are engaged in propaganda in favor of Syrian President Bashar al-Assad. Major news agencies such as the New York Times, various Twitter accounts, and even Onion have been victims of their attacks.
The group also carried out successful attacks on CNN, Washington Post and Time in 2013. And once the group managed to convince the public that an explosion occurred in the White House, and President Obama was wounded. The news disrupted the stock market for a short time, and the Dow Jones fell heavily.
The hackers are also known to have been involved in darker deeds, such as intimidating people who do not support Assad. In their work, the group often uses so-called "spear phishing", a method based in part on social engineering, the main task of which is to trick a user into giving out passwords or other confidential information. To do this, users are often directed to fake sites designed specifically for "phishing" purposes.
In November 2014, the group returned and hacked many sites using ad-hoc content delivery networks. A pop-up window appeared on the websites, the inscription in which read: "You have been hacked by the Syrian Electronic Army."
2. "Tarh Andishan" (Iran)
In 2009, Iran's computing infrastructure was severely discredited following an attack by a highly publicized worm called Stuxnet. Iran responded to this by using its hacking capabilities to both simple disable sites and full-blown cyber warfare. This is how the state-funded hacker group Tarh Andishan (which means Thinkers or Innovators in Farsi) was born.
The group became famous for the operation: "Butcher's Ax", which was carried out in 2012 and aimed at at least 50 different organizations around the world that worked in the military, commercial, educational, environmental, energy and aerospace fields.
The group also attacked major airlines, and in some cases they even managed to gain full access to the airport infrastructure and control systems.
Cybersecurity firm Cylance had to draw a conclusion about the long-term goals of this group. She published a report on Tarh Andishan, but presented only part of the group's actions, since Operation Butcher's Ax already posed a "serious threat to the world's physical security" at that time.
According to Cylance, the infrastructure available to Tarh Andishan is too large, so it cannot be the work of one person or a small group. Tarh Andishan uses cutting edge technologies such as SQL injection, latest exploits, backdoors and more. It is believed that there are about 20 members in this group, most of whom are located in Tehran, and some members in Canada, the Netherlands and the UK. The group's victims were in the United States, Central America, various parts of Europe, South Korea, Pakistan, Israel and several other regions of the Middle East.
3. "Dragonfly" / "Energy Bear" (Eastern Europe)
The group, which Symantec calls "Dragonfly" and other firms call "Energy Bear", operates from Eastern Europe and has been targeting energy companies since 2011. Prior to that, their targets were the airlines and defense industries in the US and Canada. Symantec says the hacker group "has all the hallmarks of government funding and a high degree of technical capability."
Dragonfly uses Trojans such as their own Backdoor.Oldrea and Trojan.Karagany. It is spyware for spying on the energy sector, although the group's methods can also be used for industrial sabotage. Malicious programs tend to be attached to phishing emails, although hackers have recently improved their targeting methods and now use special sites that use a series of redirects until Oldrea or Karagany hits the victim's system.
And in the later stages of their campaign, hackers even learned how to infect legitimate software so that it can be downloaded and installed on the system as usual, but it still contains malware.
The Dragonfly campaign (like the Stuxnet worm before it) was one of the first serious attempts to directly control industrial control systems. Unlike Stuxnet, which aimed only at Iran's nuclear program, the actions of the Dragonfly were much broader, it was a long-term espionage and great opportunities for serious industrial sabotage.
4. "Individual Access Operations" (USA)
After Stuxnet, the US was not going to lag behind in cyber warfare and spy games. The country reserves the right to “use all necessary means - diplomatic, informational, military and economic - as necessary and in accordance with applicable international law”.
A government-funded group of American hackers called Individual Access Operations is run by the US National Security Agency.
It was because of this group that Edward Snowden became famous, after information appeared in the German magazine Der Spiegel that the NSA had tapped thousands of phones in the United States and abroad.
Since at least 2008, the group can intercept shipments of personal computers (which then host spyware), can use software and hardware vulnerabilities to break into even such serious corporations as Microsoft.
Now this organization is not particularly hiding, and its employees are even listed on LinkedIn. Their 600-employee headquarters are located at the NSA headquarters in Fort Mead, Maryland. To get an idea of their current activities, just ask Dean Schyvincht, who claims to be the senior network operator in the group from the Texas office. He says that in 2013, there were "over 54,000 global network operations that meet the requirements of the national intelligence agency," and that all this was done by a state of 14 people under his direct leadership.
5. "Ajax Security Group" / "Flying Kitten" (Iran)
Ajax was founded in 2010, initially it was a group of “hacktivists” and website defactors from Iran. But from "hacktivism" they have gone to cyber espionage and exposure of political dissidents.
They deny their state support, but many believe that they were hired by the Iranian government, plus the group is trying in every possible way to attract the attention of the government to their public activities, clearly hoping for state funding.
FireEye believes that it was the Ajax Security Team that undertook what is today known as Operation Saffron Rose. It was a series of phishing attacks and attempts to alter Microsoft Outlook web access and VPN pages in order to obtain user credentials and information about the US defense industry. The group is also engaged in exposing dissidents, providing them with services supposedly free from censorship.
6. "Unit 61398" / "Commentator Team" / "Panda with a Stick" (China)
In 2013, Mandiant published a report in which it concluded that a group working for the elite Chinese military unit 61398 had stolen hundreds of terabytes of data from at least 141 organizations around the world.
Mandiant has backed up this claim with evidence such as the Shanghai IP addresses of computers. In addition, the attacking computers used simplified Chinese language settings, plus there were many more signs that numerous people were behind all this, and not automated systems.
China denied all of these allegations, saying the report was "not based on facts" and that there was a clear "lack of technical evidence."
Brad Glosserman, executive director of the Pacific Forum's Center for Strategic and International Studies denied this, pointing out that there is enough evidence. Mandiant even knew where most of the attacks came from: from a 12-story building near Shanghai, where hackers had gained access to powerful fiber-optic cables.
Today, approximately 20 high-profile hacker groups are reported to be of Chinese origin, and at least some of these groups may represent the Chinese People's Liberation Army. These include the Commentator Team and Panda with a Stick, hacker groups that have been active since 2007 and allegedly operated from buildings belonging to the Chinese People's Liberation Army.
7. "Axiom" (China)
A coalition of cybersecurity groups that included Bit9, Microsoft, Symantec, ThreatConnect, Volexity, and others have identified another dangerous hacker group they call Axiom.
This group specializes in corporate espionage and exposing political dissidents, and may also be behind the attacks on Google in 2010. Axioma is believed to be a group from China, but so far no one has been able to determine which part of China it is from. The coalition's Axiom report says that its activities overlap with the "area of responsibility" of Chinese intelligence and the Chinese government. This statement is supported by a small FBI report that was published in Infragard.
The report describes Axiom as a subgroup of a larger and as yet unknown group that has existed for more than six years, and attacks mainly private enterprises with a significant impact on the economy. The methods used range from massive virus attacks to complex exploits that take years to develop. The group also targets Western governments, various democratic institutions and dissidents both inside and outside China.
8. "Bureau 121" (Pyongyang, North Korea)
By now, many have heard that Sony Pictures was attacked by hackers calling themselves "Guardians of the World." The group is very upset about Interview, a new film that shows the assassination of North Korean leader Kim Jong-un. Guardians of the World even threatened with new 9/11-style attacks, which could allegedly occur in cinemas and other Sony facilities if the Interview movie was shown.
Supported by the government, the group is carrying out hacker attacks and sabotage against South Korea and against its perceived enemies such as the United States. In 2013, this group was blamed for an attack on 30,000 computers located in banks and TV companies in South Korea.
According to some reports, Bureau 121 has 1,800 employees who are considered a real elite, and who are provided with numerous material incentives, such as high salaries and the opportunity to move their families to Pyongyang, where employees are allocated an apartment. Defector Jeng Si-yul told Reuters that he studied with members of this group at the North Korean University of Automation. He also said that there are foreign subdivisions of this group.
9. "Inconspicuous lynx" (China)
The Invisible Lynx, as it was named by Symantec, is one of the newest active hacker groups. A 2013 report describes the Stealthy Lynx as a group of highly organized and experienced hackers (ranging from 50 to 100) who have enormous resources and enormous patience to exploit those resources. The group regularly uses (and possibly creates) the latest hacking methods, one of which was used in 2013 to infiltrate the "cloud" security firm Bit9 in order to gain access to the data of its clients.
But these people are not only involved in identity theft. They also penetrate objects that are considered the safest in the world. These include the defense industry, the largest corporations, and the governments of major powers. Sources of attacks can be in the United States, China, Taiwan and South Korea.
There are many indications that the "Stealthy Lynx" came from China, but it is still unclear whether they are funded by the state or just a very influential group of mercenaries. However, their advanced skills and techniques, as well as the fact that their entire infrastructure, as well as control and management servers are located in China, makes it doubtful that the group is doing without government support.
The situation is so serious that it is already called the "new cold war", and this war is truly global, although not everyone sees it. But very little time will pass, and cyberattacks will be regarded as real military actions.
1. "Syrian Electronic Army" (Syria)
For the first time, the world heard about the "Syrian electronic army" in 2011. The group is mainly composed of students from Syrian universities who are engaged in propaganda in favor of Syrian President Bashar al-Assad. Major news agencies such as the New York Times, various Twitter accounts, and even Onion have been victims of their attacks.
The group also carried out successful attacks on CNN, Washington Post and Time in 2013. And once the group managed to convince the public that an explosion occurred in the White House, and President Obama was wounded. The news disrupted the stock market for a short time, and the Dow Jones fell heavily.
The hackers are also known to have been involved in darker deeds, such as intimidating people who do not support Assad. In their work, the group often uses so-called "spear phishing", a method based in part on social engineering, the main task of which is to trick a user into giving out passwords or other confidential information. To do this, users are often directed to fake sites designed specifically for "phishing" purposes.
In November 2014, the group returned and hacked many sites using ad-hoc content delivery networks. A pop-up window appeared on the websites, the inscription in which read: "You have been hacked by the Syrian Electronic Army."
2. "Tarh Andishan" (Iran)
In 2009, Iran's computing infrastructure was severely discredited following an attack by a highly publicized worm called Stuxnet. Iran responded to this by using its hacking capabilities to both simple disable sites and full-blown cyber warfare. This is how the state-funded hacker group Tarh Andishan (which means Thinkers or Innovators in Farsi) was born.
The group became famous for the operation: "Butcher's Ax", which was carried out in 2012 and aimed at at least 50 different organizations around the world that worked in the military, commercial, educational, environmental, energy and aerospace fields.
The group also attacked major airlines, and in some cases they even managed to gain full access to the airport infrastructure and control systems.
Cybersecurity firm Cylance had to draw a conclusion about the long-term goals of this group. She published a report on Tarh Andishan, but presented only part of the group's actions, since Operation Butcher's Ax already posed a "serious threat to the world's physical security" at that time.
According to Cylance, the infrastructure available to Tarh Andishan is too large, so it cannot be the work of one person or a small group. Tarh Andishan uses cutting edge technologies such as SQL injection, latest exploits, backdoors and more. It is believed that there are about 20 members in this group, most of whom are located in Tehran, and some members in Canada, the Netherlands and the UK. The group's victims were in the United States, Central America, various parts of Europe, South Korea, Pakistan, Israel and several other regions of the Middle East.
3. "Dragonfly" / "Energy Bear" (Eastern Europe)
The group, which Symantec calls "Dragonfly" and other firms call "Energy Bear", operates from Eastern Europe and has been targeting energy companies since 2011. Prior to that, their targets were the airlines and defense industries in the US and Canada. Symantec says the hacker group "has all the hallmarks of government funding and a high degree of technical capability."
Dragonfly uses Trojans such as their own Backdoor.Oldrea and Trojan.Karagany. It is spyware for spying on the energy sector, although the group's methods can also be used for industrial sabotage. Malicious programs tend to be attached to phishing emails, although hackers have recently improved their targeting methods and now use special sites that use a series of redirects until Oldrea or Karagany hits the victim's system.
And in the later stages of their campaign, hackers even learned how to infect legitimate software so that it can be downloaded and installed on the system as usual, but it still contains malware.
The Dragonfly campaign (like the Stuxnet worm before it) was one of the first serious attempts to directly control industrial control systems. Unlike Stuxnet, which aimed only at Iran's nuclear program, the actions of the Dragonfly were much broader, it was a long-term espionage and great opportunities for serious industrial sabotage.
4. "Individual Access Operations" (USA)
After Stuxnet, the US was not going to lag behind in cyber warfare and spy games. The country reserves the right to “use all necessary means - diplomatic, informational, military and economic - as necessary and in accordance with applicable international law”.
A government-funded group of American hackers called Individual Access Operations is run by the US National Security Agency.
It was because of this group that Edward Snowden became famous, after information appeared in the German magazine Der Spiegel that the NSA had tapped thousands of phones in the United States and abroad.
Since at least 2008, the group can intercept shipments of personal computers (which then host spyware), can use software and hardware vulnerabilities to break into even such serious corporations as Microsoft.
Now this organization is not particularly hiding, and its employees are even listed on LinkedIn. Their 600-employee headquarters are located at the NSA headquarters in Fort Mead, Maryland. To get an idea of their current activities, just ask Dean Schyvincht, who claims to be the senior network operator in the group from the Texas office. He says that in 2013, there were "over 54,000 global network operations that meet the requirements of the national intelligence agency," and that all this was done by a state of 14 people under his direct leadership.
5. "Ajax Security Group" / "Flying Kitten" (Iran)
Ajax was founded in 2010, initially it was a group of “hacktivists” and website defactors from Iran. But from "hacktivism" they have gone to cyber espionage and exposure of political dissidents.
They deny their state support, but many believe that they were hired by the Iranian government, plus the group is trying in every possible way to attract the attention of the government to their public activities, clearly hoping for state funding.
FireEye believes that it was the Ajax Security Team that undertook what is today known as Operation Saffron Rose. It was a series of phishing attacks and attempts to alter Microsoft Outlook web access and VPN pages in order to obtain user credentials and information about the US defense industry. The group is also engaged in exposing dissidents, providing them with services supposedly free from censorship.
6. "Unit 61398" / "Commentator Team" / "Panda with a Stick" (China)
In 2013, Mandiant published a report in which it concluded that a group working for the elite Chinese military unit 61398 had stolen hundreds of terabytes of data from at least 141 organizations around the world.
Mandiant has backed up this claim with evidence such as the Shanghai IP addresses of computers. In addition, the attacking computers used simplified Chinese language settings, plus there were many more signs that numerous people were behind all this, and not automated systems.
China denied all of these allegations, saying the report was "not based on facts" and that there was a clear "lack of technical evidence."
Brad Glosserman, executive director of the Pacific Forum's Center for Strategic and International Studies denied this, pointing out that there is enough evidence. Mandiant even knew where most of the attacks came from: from a 12-story building near Shanghai, where hackers had gained access to powerful fiber-optic cables.
Today, approximately 20 high-profile hacker groups are reported to be of Chinese origin, and at least some of these groups may represent the Chinese People's Liberation Army. These include the Commentator Team and Panda with a Stick, hacker groups that have been active since 2007 and allegedly operated from buildings belonging to the Chinese People's Liberation Army.
7. "Axiom" (China)
A coalition of cybersecurity groups that included Bit9, Microsoft, Symantec, ThreatConnect, Volexity, and others have identified another dangerous hacker group they call Axiom.
This group specializes in corporate espionage and exposing political dissidents, and may also be behind the attacks on Google in 2010. Axioma is believed to be a group from China, but so far no one has been able to determine which part of China it is from. The coalition's Axiom report says that its activities overlap with the "area of responsibility" of Chinese intelligence and the Chinese government. This statement is supported by a small FBI report that was published in Infragard.
The report describes Axiom as a subgroup of a larger and as yet unknown group that has existed for more than six years, and attacks mainly private enterprises with a significant impact on the economy. The methods used range from massive virus attacks to complex exploits that take years to develop. The group also targets Western governments, various democratic institutions and dissidents both inside and outside China.
8. "Bureau 121" (Pyongyang, North Korea)
By now, many have heard that Sony Pictures was attacked by hackers calling themselves "Guardians of the World." The group is very upset about Interview, a new film that shows the assassination of North Korean leader Kim Jong-un. Guardians of the World even threatened with new 9/11-style attacks, which could allegedly occur in cinemas and other Sony facilities if the Interview movie was shown.
All this led to the fact that North Korea began to be accused of the attacks. Mentions of the group now known as Bureau 121 began to appear in the media. Bureau 121 is believed to be a group of North Korean hackers and computer experts for cyber warfare. The defectors claimed that this group belongs to the General Intelligence Bureau, the military department of North Korea.
Supported by the government, the group is carrying out hacker attacks and sabotage against South Korea and against its perceived enemies such as the United States. In 2013, this group was blamed for an attack on 30,000 computers located in banks and TV companies in South Korea.
According to some reports, Bureau 121 has 1,800 employees who are considered a real elite, and who are provided with numerous material incentives, such as high salaries and the opportunity to move their families to Pyongyang, where employees are allocated an apartment. Defector Jeng Si-yul told Reuters that he studied with members of this group at the North Korean University of Automation. He also said that there are foreign subdivisions of this group.
9. "Inconspicuous lynx" (China)
The Invisible Lynx, as it was named by Symantec, is one of the newest active hacker groups. A 2013 report describes the Stealthy Lynx as a group of highly organized and experienced hackers (ranging from 50 to 100) who have enormous resources and enormous patience to exploit those resources. The group regularly uses (and possibly creates) the latest hacking methods, one of which was used in 2013 to infiltrate the "cloud" security firm Bit9 in order to gain access to the data of its clients.
But these people are not only involved in identity theft. They also penetrate objects that are considered the safest in the world. These include the defense industry, the largest corporations, and the governments of major powers. Sources of attacks can be in the United States, China, Taiwan and South Korea.
There are many indications that the "Stealthy Lynx" came from China, but it is still unclear whether they are funded by the state or just a very influential group of mercenaries. However, their advanced skills and techniques, as well as the fact that their entire infrastructure, as well as control and management servers are located in China, makes it doubtful that the group is doing without government support.
