New Entries in the CFR Cyber Operations Tracker: Q2 2018

This blog post was coauthored by Alex Grigsby, assistant director, digital and cyberspace policy. 

The Cyber Operations Tracker has just been updated. This update includes the state-sponsored incidents and threat actors that have been made public between April, 2018 and July, 2018. We also modified some older entries to reflect the latest developments. 

A detailed log of the added and modified entries follow. If you know of any state-sponsored cyber incidents that should be included, you can submit them to us here.  

Edits to Old Entries

Lazarus Group. Added that it is believed to be responsible for Operation GhostSecret, associated with Covellite, and the subject of a new U.S. Department of Homeland Security alert. 
Operation Aurora. Added its association with Winnti Umbrella.
Axiom. Added its association with Winnti Umbrella.
Mirage. Added its association with Winnti Umbrella, a victim and a source. 
Deputy Dog. Added its association with Winnti Umbrella.
Black Energy. Added a reference to a German government technical report about this threat actor and its alternate name (Electrum).
Turla. Added that it is believed to have targeted South Korea prior to the meeting between Kim Jong-un and Donald J. Trump.
OilRig. Added its association with Chafer and Chrysene.
NotPetya. Added references to U.S. sanctions and attribution from Estonia, Lithuania, and Ukraine.
WannaCry. Added a reference to attribution from New Zealand.
Crouching Yeti. Added a reference to U.S. and German alerts regarding this actor’s targeting of critical infrastructure and associations with Allanite and Dymalloy.
Leviathan. Added that it is believed to have compromised Cambodia’s election infrastructure. 
APT 37. Added a new source.
Patchwork. Added that it is believed to have targeted U.S. think tanks.
Ocean Lotus. Added victims and sources.
Targeting of the Islamic State Group. Added an association.
Emissary Panda. Added that it is believed to have been responsible for the compromise of a Mongolian data centre.
Compromise of the Democratic National Committee. Added the U.S. Department of Justice indictments.
APT 28. Added that it is believed to have been responsible for targeting of the 2018 U.S. midterms.
DragonOK. Added association with Rancor.  
Compromise of Saudi Aramco and RasGas. Added a reference to Chrysene.
Shamoon 2.0. Added a reference to Chrysene.
APT 33. Added a reference to its alternate name (Magnallium). 

New Entries

Operation GhostSecret
Winnti Umbrella
Targeting of Chinese-language news websites
Targeting of the government of Thailand
Compromise of gaming companies
Spear-phishing campaign against Google accounts in 2015
Stealth Mango and Tangelo
Targeting of North Korean defectors and journalists
Alleged Russian compromise of networking equipment
Targeting of South Korean actors prior to meeting of Donald J. Trump and Kim Jong-un
TempTick
Chafer
Compromise of a U.S. Navy contractor
Targeting of U.S. energy and other critical infrastructure sectors
Compromise of a diplomatic entity in Qatar
Targeting of financial and chemical organizations in Europe
Targeting of chemical research and media organizations in Germany
Thrip
Targeting of German critical infrastructure sectors
RedAlpha
Rancor
Operation Parliament
Inception Framework
Compromise of Cambodian election organizations
Mythic Leopard
Mustang Panda
Compromise of Australian National University
HenBox
UK targeting of the Islamic State group
Compromise of Mongolian government data center
Targeting of congressional campaigns for the 2018 U.S. midterm elections
Compromise of SingHealth, a large health-care provider in Singapore
Allanite
Chrysene
Covellite
Dymalloy
Targeting of a chemical plant in Ukraine
Trisis