Krypton

Threat Actor updated 6 months ago (2024-05-18T00:17:44.090Z)

Download STIX

Preview STIX

Krypton, also known as Secret Blizzard or UAC-0003, is a significant threat actor that has been associated with Russia's Federal Security Service (FSB). This Advanced Persistent Threat (APT) group has been active since at least 2004, targeting diplomatic and government organizations as well as private businesses across the globe, including regions such as the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations. Krypton leverages a novel .NET backdoor called DeliveryCheck to deliver various second-stage payloads, primarily targeting the defense sector in Ukraine and Eastern Europe. Recently, Microsoft has identified targeted attacks by Krypton against Exchange Server components, enabling this cyberespionage tool to execute illicit activities. These include executing JavaScript, extracting data from event logs, and stealing credentials from various programs such as browsers, FTP clients, VPN software, KeePass, Azure, AWS, and Outlook. The distinctive tactics, techniques, and use of KAZUAR have confidently linked this activity to the FSB-led group. In addition to its cyberespionage capabilities, the Krypton network also offers Distributed Denial-of-Service (DDoS) services for hire. It has been known to advertise these services to hacktivists wishing to target Israeli organizations. Furthermore, Krypton Networks has shown interest in releasing version 3 of its botnet service, which targets large organizations like Spotify. This botnet, known for its DDoS-for-hire capabilities, allegedly includes several features designed to bypass DDoS mitigation services.

Description last updated: 2024-05-18T00:15:41.095Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Turla is a possible alias for Krypton. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Apt

Ddos

Botnet

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Uroburos Malware is associated with Krypton. Uroburos, also known as Snake, Turla, Pensive Ursa, and Venomous Bear, is a sophisticated malware linked to the Russian Federal Security Service (FSB). The development of this malicious software began in late 2003, with its operations traced back to at least 2004. Uroburos is part of a broader arsen	Unspecified	2
The Kazuar Malware is associated with Krypton. Kazuar is a sophisticated multiplatform trojan horse malware that has been associated with the Russian-based threat group Turla, also known as Pensive Ursa, Uroburos, or Snake. This group, believed to be linked to the Russian Federal Security Service (FSB), has been operating since at least 2004 and	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Venomous Bear Threat Actor is associated with Krypton. Venomous Bear, also known as Turla, Urobouros, Snake, and other names, is a threat actor group attributed to Center 16 of the Federal Security Service (FSB) of the Russian Federation. The group has been active since at least 2004, targeting diplomatic and government organizations, as well as private	Unspecified	2

Source Document References

Information about the Krypton Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	6 months ago	Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs
Securityaffairs	9 months ago	Turla APT uses new TinyTurla-NG backdoor to spy on Polish NGOs
CERT-EU	a year ago	KillNet group touts new feature-rich ‘DDoS-for-hire’ service
DARKReading	a year ago	Hackers For Hire Hit Both Sides in Israel-Hamas Conflict
CERT-EU	a year ago	The Israel–Hamas Conflict: Implications for the Cyber Threat Landscape - ReliaQuest
CERT-EU	a year ago	Hackers Turn Exchange Servers into Malware Command & Control Centers
CERT-EU	a year ago	Turla hackers target defense sector in Ukraine and Eastern Europe
BankInfoSecurity	a year ago	Russian Hackers Probe Ukrainian Defense Sector With Backdoor
DARKReading	a year ago	Insights Into Nation-State Tactics: Lessons From Russia's Hybrid War In Ukraine
CERT-EU	2 years ago	Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering
CERT-EU	2 years ago	Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting