Pistachio Tempest

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Pistachio Tempest, also known as FIN12, is a threat actor that has been identified as a significant cybersecurity risk, particularly to the healthcare industry. According to a report by the U.S. Department of Health and Human Services (HHS) in 2022, this group has specifically targeted healthcare entities, deploying a combination of SystemBC and CS Beacon to orchestrate ransomware attacks. The unusual naming conventions for such groups are typical within the cybersecurity sector, with little standardization across the industry. Data from multiple incidents analyzed by cybersecurity firm Kaspersky indicate that Pistachio Tempest is likely a Russian-speaking Ransomware-as-a-Service (RaaS) cybercrime group. This group's focus on the healthcare industry is consistent with the HHS report, further emphasizing their use of SystemBC alongside CS Beacon to carry out ransomware attacks. The attribution of these attacks to Pistachio Tempest has been supported by specific indicators observed during these incidents. Despite the challenges in definitively attributing these attacks, there is substantial evidence pointing towards the involvement of Pistachio Tempest or FIN12. Their frequent deployment of SystemBC in conjunction with Cobalt Strike in 2022 underlines their persistent threat to the healthcare industry. As a result, organizations within this sector should be particularly vigilant in enhancing their cybersecurity measures to mitigate potential threats from this group.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
FIN12
3
FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomware
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Beacon
RaaS
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SystembcUnspecified
2
SystemBC is a malicious software (malware) that has been used in various cyber attacks to exploit and damage computer systems. This malware was observed in 2023, being heavily used with BlackBasta and Quicksand. It has been deployed by teams using BlackBasta during their attacks. Play ransomware act
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Pistachio Tempest Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
9 months ago
Southern African power generator targeted with DroxiDat malware | #daitngscams | #lovescams | #datingscams | #love | #relationships | #scams | #pof | #match.com | #dating | National Cyber Security Consulting
Securityaffairs
a year ago
Power Generator in South Africa hit with DroxiDat and Cobalt Strike
CERT-EU
a year ago
Focus on DroxiDat/SystemBC
CERT-EU
a year ago
Focus on DroxiDat/SystemBC – GIXtools
InfoSecurity-magazine
a year ago
DroxiDat-Cobalt Strike Duo Targets Power Generator Network