This is not an official source of Microsoft Threat Intelligence but rather a simple collection of publicly available resources curated for the community.
Association Overlap (not equivalents): APT28 (Fireeye), Fancy Bear (Crowdstrike)
Description: A group active since 2007 that uses zero-day exploits to collect the sensitive information of high-value targets in government and political organizations. Since 2007, the group has targeted: Government bodies, Diplomatic institutions, Military forces and installations, Journalists, Political advisers and organizations. Primary area of interest is NATO member states and certain Eastern European countries.
- Microsoft Security Intelligence Report – Volume 19
Association Overlap (not equivalents): DarkHotel (Kaspersky)
Description: DUBNIUM is an activity groups that has been very active in recent years. Their primary targets are Asian including China, Japan, and Korea. Their operations begin with socially-engineered spear-phishing relying on LNK files masquerading as Microsoft Office documents tempting the user to click on them resulting in the download of their stage 1 capability. Their capabilities thoroughly check the running environment for any signs of instrumentation which may provide intelligence to defenders.
- Reverse Engineering DUBNIUM
- Reverse Engineering DUBNIUM’s Flash-targeting Exploit
- Reverse Engineering DUBNIUM – Stage 2 Payload Analysis
Association Overlap (not equivalents): None
Description: PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat. PLATINUM has focused on targets associated with governments and related organizations in South and Southeast Asia