ETDA ThaiCERT
Report
Search
Home > List all groups > SandCat

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: SandCat

NamesSandCat (Kaspersky)
CountryUzbekistan Uzbekistan
SponsorState-sponsored, Military Unit 02616
MotivationInformation theft and espionage
First seen2018
Description(Kaspersky) SandCat is a relatively new APT group; we first observed them in 2018, although it would appear they have been around for some time,” Costin Raiu, director of global research and analysis team at Kaspersky Lab, told Threatpost. “They use both FinFisher/FinSpy [spyware] and the CHAINSHOT framework in attacks, coupled with various zero-days. Targets of SandCat have been mostly observed in Middle East, including but not limited to Saudi Arabia.
ObservedCountries: Saudi Arabia and Middle East.
Tools usedFinFisher, CHAINSHOT and several 0-days.
Information<https://threatpost.com/sandcat-fruityarmor-exploiting-microsoft-win32k/142751/>
<https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec>

Last change to this card: 14 April 2020

Download this actor card in PDF or JSON format

Previous: Samurai Panda
Next: Sandworm Team, Iron Viking, Voodoo Bear

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key