ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > Gorgon Group

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Gorgon Group

NamesGorgon Group (Palo Alto)
Subaat (Palo Alto)
ATK 92 (Thales)
TAG-CR5 (?)
CountryPakistan Pakistan
SponsorState-sponsored
MotivationInformation theft and espionage
First seen2017
DescriptionGorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States.

Gorgon Group may be related to Transparent Tribe, APT 36 and may be responsible for the Aggah activity.
ObservedSectors: Government, Manufacturing.
Countries: Russia, Spain, Switzerland, UK, USA.
Tools usedAgent Tesla, Crimson RAT, LokiBot, NanoCore RAT, NetWire RC, njRAT, QuasarRAT, RemcosRAT, RevengeRAT, Living off the Land.
Operations performedJul 2017Small wave of phishing emails targeting a US-based government organization.
Within the 43 emails we observed, we found that three unique files were delivered, which consisted of two RTFs and a Microsoft Excel file. Both RTFs exploited CVE-2012-0158 and acted as downloaders to ultimately deliver the QuasarRAT malware family. The downloaders made use of the same shellcode, with minor variances witnessed between them. Additionally, the RTFs made use of heavy obfuscation within the documents themselves, making it more difficult to extract the embedded shellcode.
<https://unit42.paloaltonetworks.com/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/>
Feb 2018In addition to the numerous targeted attacks, Unit 42 discovered that the group also performed a litany of attacks and operations around the globe, involving both criminal as well as targeted attacks.
Starting in February 2018, Palo Alto Networks Unit 42 identified a campaign of attacks performed by members of Gorgon Group targeting governmental organizations in the United Kingdom, Spain, Russia, and the United States. Additionally, during that time, members of Gorgon Group were also performing criminal operations against targets across the globe, often using shared infrastructure with their targeted attack operations.
<https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/>
Apr 2020Gorgon APT targeting MSME sector in India
<https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/>
Jul 2020Advance Campaign Targeting Manufacturing and Export Sectors in India
<https://www.seqrite.com/blog/advance-campaign-targeting-manufacturing-and-export-sectors-in-india/>>
MITRE ATT&CK<https://attack.mitre.org/groups/G0078/>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=gorgongroup>

Last change to this card: 13 August 2020

Download this actor card in PDF or JSON format

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key