Pistachio Tempest

Threat Actor updated 5 months ago (2024-05-04T17:44:36.298Z)

Download STIX

Preview STIX

Pistachio Tempest, also known as FIN12, is a threat actor that has been identified as a significant cybersecurity risk, particularly to the healthcare industry. According to a report by the U.S. Department of Health and Human Services (HHS) in 2022, this group has specifically targeted healthcare entities, deploying a combination of SystemBC and CS Beacon to orchestrate ransomware attacks. The unusual naming conventions for such groups are typical within the cybersecurity sector, with little standardization across the industry. Data from multiple incidents analyzed by cybersecurity firm Kaspersky indicate that Pistachio Tempest is likely a Russian-speaking Ransomware-as-a-Service (RaaS) cybercrime group. This group's focus on the healthcare industry is consistent with the HHS report, further emphasizing their use of SystemBC alongside CS Beacon to carry out ransomware attacks. The attribution of these attacks to Pistachio Tempest has been supported by specific indicators observed during these incidents. Despite the challenges in definitively attributing these attacks, there is substantial evidence pointing towards the involvement of Pistachio Tempest or FIN12. Their frequent deployment of SystemBC in conjunction with Cobalt Strike in 2022 underlines their persistent threat to the healthcare industry. As a result, organizations within this sector should be particularly vigilant in enhancing their cybersecurity measures to mitigate potential threats from this group.

Description last updated: 2023-10-09T11:19:22.955Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
FIN12 is a possible alias for Pistachio Tempest. FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomware	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Beacon

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Systembc Malware is associated with Pistachio Tempest. SystemBC is a type of malware that has been heavily used in cyber-attacks, often alongside other malicious software. It was observed being used with Quicksand and BlackBasta in 2023, during attacks attributed to a team deploying BlackBasta. The Play ransomware group also utilized SystemBC as part of	Unspecified	2

Source Document References

Information about the Pistachio Tempest Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Southern African power generator targeted with DroxiDat malware \| #daitngscams \| #lovescams \| #datingscams \| #love \| #relationships \| #scams \| #pof \| #match.com \| #dating \| National Cyber Security Consulting
Securityaffairs	a year ago	Power Generator in South Africa hit with DroxiDat and Cobalt Strike
CERT-EU	a year ago	Focus on DroxiDat/SystemBC
CERT-EU	a year ago	Focus on DroxiDat/SystemBC – GIXtools
InfoSecurity-magazine	a year ago	DroxiDat-Cobalt Strike Duo Targets Power Generator Network