Krypton

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Krypton, also known as Secret Blizzard or UAC-0003, is a significant threat actor that has been associated with Russia's Federal Security Service (FSB). This Advanced Persistent Threat (APT) group has been active since at least 2004, targeting diplomatic and government organizations as well as private businesses across the globe, including regions such as the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations. Krypton leverages a novel .NET backdoor called DeliveryCheck to deliver various second-stage payloads, primarily targeting the defense sector in Ukraine and Eastern Europe. Recently, Microsoft has identified targeted attacks by Krypton against Exchange Server components, enabling this cyberespionage tool to execute illicit activities. These include executing JavaScript, extracting data from event logs, and stealing credentials from various programs such as browsers, FTP clients, VPN software, KeePass, Azure, AWS, and Outlook. The distinctive tactics, techniques, and use of KAZUAR have confidently linked this activity to the FSB-led group. In addition to its cyberespionage capabilities, the Krypton network also offers Distributed Denial-of-Service (DDoS) services for hire. It has been known to advertise these services to hacktivists wishing to target Israeli organizations. Furthermore, Krypton Networks has shown interest in releasing version 3 of its botnet service, which targets large organizations like Spotify. This botnet, known for its DDoS-for-hire capabilities, allegedly includes several features designed to bypass DDoS mitigation services.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Turla
3
Turla, also known as Pensive Ursa, is a sophisticated threat actor linked to Russia that has been active for many years. The group is known for its advanced cyber-espionage capabilities and has been associated with numerous high-profile breaches. According to the MITRE ATT&CK and MITRE Ingenuity dat
Waterbug
1
Waterbug, also known as Turla, Venomous Bear, and other aliases, is a cyberespionage group closely affiliated with the FSB Russian intelligence agency. This threat actor has been active since at least 2004, targeting government entities, intelligence agencies, educational institutions, research faci
Secret Blizzard
1
Secret Blizzard, also known as Turla, KRYPTON, and UAC-0003, is a threat actor group linked to Russia's Federal Security Service (FSB). This Advanced Persistent Threat (APT) group has been active since the early 2000s, primarily targeting government organizations worldwide. The group's activities we
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Ddos
Botnet
Malware
Israeli
Backdoor
Telegram
Russia
Espionage
Microsoft
Vpn
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
UroburosUnspecified
2
Uroburos, also known as Snake, Turla, Pensive Ursa, and Venomous Bear, is a sophisticated malware linked to the Russian Federal Security Service (FSB). The development of this malicious software began in late 2003, with its operations traced back to at least 2004. Uroburos is part of a broader arsen
KazuarUnspecified
2
Kazuar is a sophisticated multiplatform trojan horse malware, linked to the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, Snake), which has been operating since at least 2004. This group, believed to be connected to the Russian Federal Security Service (FSB), utilizes an ar
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Venomous BearUnspecified
2
Venomous Bear, also known as Turla, Urobouros, Snake, and other names, is a threat actor group attributed to Center 16 of the Federal Security Service (FSB) of the Russian Federation. The group has been active since at least 2004, targeting diplomatic and government organizations, as well as private
Anonymous SudanUnspecified
1
Anonymous Sudan, a threat actor group known for its malicious cyber activities, has recently been the subject of increased attention in the cybersecurity industry. This entity, which could consist of a single individual, a private company, or part of a government organization, is responsible for exe
Forest BlizzardUnspecified
1
Forest Blizzard, also known as APT28, Fancy Bear, and Strontium, is a threat actor linked to the Russian General Staff Main Intelligence Directorate (GRU) and the 85th Main Special Service Center (GTsSS). The group has been involved in persistent espionage campaigns against European countries, which
SnakeUnspecified
1
Snake, also known as EKANS, is a significant threat actor that has been active since at least 2004, with its activities potentially dating back to the late 1990s. This group, which may have ties to Iran, targets diplomatic and government organizations as well as private businesses across various reg
STRONTIUMUnspecified
1
Strontium, also known as APT28, Fancy Bear, Forest Blizzard, and several other aliases, is a Russia-linked threat actor that has been active since at least 2007. This group, believed to be associated with the Russian General Staff Main Intelligence Directorate (GRU), has targeted governments, milita
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Krypton Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
2 months ago
Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs
Securityaffairs
5 months ago
Turla APT uses new TinyTurla-NG backdoor to spy on Polish NGOs
CERT-EU
9 months ago
KillNet group touts new feature-rich ‘DDoS-for-hire’ service
DARKReading
10 months ago
Hackers For Hire Hit Both Sides in Israel-Hamas Conflict
CERT-EU
10 months ago
The Israel–Hamas Conflict: Implications for the Cyber Threat Landscape - ReliaQuest
CERT-EU
a year ago
Hackers Turn Exchange Servers into Malware Command & Control Centers
CERT-EU
a year ago
Turla hackers target defense sector in Ukraine and Eastern Europe
BankInfoSecurity
a year ago
Russian Hackers Probe Ukrainian Defense Sector With Backdoor
DARKReading
a year ago
Insights Into Nation-State Tactics: Lessons From Russia's Hybrid War In Ukraine
CERT-EU
a year ago
Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering
CERT-EU
a year ago
Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting