ETDA ThaiCERT
Report
Search
Home > List all groups > Snowglobe, Animal Farm

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Snowglobe, Animal Farm

NamesSnowglobe (CSEC)
Animal Farm (Kaspersky)
SIG20 (NSA)
ATK 8 (Thales)
CountryFrance France
SponsorState-sponsored
MotivationInformation theft and espionage
First seen2011
Description(GData) The revelation about the existence of yet another potentially nation-state driven spyware occurred in March 2014 when Le Monde first published information about top secret slides originating from 2011 and part of their content. But the slides Le Monde published revealed only a small part of the picture – several slides were cut out, some information was redacted. Germany’s Der Spiegel re-published the slide set with far less deletions recently, in January 2015, and therefore gave a deeper insight about what CSEC actually says they have tracked down.

The newly published documents reveal: the so called operation SNOWGLOBE, was discovered in 2009 (slide 9) and consists of three different “implants”, two were dubbed snowballs and one “more sophisticated implant, discovered in mid-2010” is tagged as snowman (slide 7). According to slide 22, “CSEC assesses, with moderate certainty, SNOWGLOBE to be a state-sponsored CNO [Cyber Network Operation] effort, put forth by a French intelligence agency.” The information given dates back to 2011 and nothing else has been published since. Now that specific Babar samples have been identified and analyzed, there might be new information, also with regards to similarities or differences between the two Remote Administration Tools (RATs) EvilBunny and Babar.
ObservedSectors: Defense, Government, Media and private sectors.
Countries: Algeria, Austria, China, Congo, Cote d'Ivoire, Germany, Greece, Iran, Iraq, Israel, Malaysia, Morocco, Netherlands, New Zealand, Norway, Russia, Spain, Syria, Turkey, UK, Ukraine, USA.
Tools usedBabar, Casper, Dino, EvilBunny, Tafacalou, Nbot, Chocopop.
Information<https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope>
<https://resources.infosecinstitute.com/animal-farm-apt-and-the-shadow-of-france-intelligence/>
<https://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/>

Last change to this card: 24 April 2020

Download this actor card in PDF or JSON format

Previous: Snake Wine
Next: Sofacy, APT 28, Fancy Bear, Sednit

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key