ETDA ThaiCERT
Report
Search
Home > List all groups > TA2101, Maze Team

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: TA2101, Maze Team

NamesTA2101 (Proofpoint)
Maze Team (self given)
Country[Unknown]
MotivationFinancial crime, Financial gain
First seen2019
Description(Proofpoint) Proofpoint researchers recently detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware.

The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails.

Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan while impersonating the United States Postal Service (USPS).
ObservedSectors: Construction, Education, Energy, Financial, Government, Healthcare, Hospitality, IT, Manufacturing, Media, Non-profit organizations, Oil and gas, Retail, Shipping and Logistics, Technology, Telecommunications, Transportation and Real estate.
Countries: Canada, Costa Rica, France, Germany, Italy, South Korea, Thailand, UK, USA.
Tools used7-Zip, BokBot, BloodHound, Buran, Cobalt Strike, Maze, Mimikatz, nmap, PsExec, SharpHound, WinSCP.
Operations performedNov 2019Allied Universal Breached by Maze Ransomware, Stolen Data Leaked
<https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/>
Dec 2019Maze Ransomware Demands $6 Million Ransom From Southwire
<https://www.bleepingcomputer.com/news/security/maze-ransomware-demands-6-million-ransom-from-southwire/>
Jan 2020Maze ransomware operators have infected computers from Medical Diagnostic Laboratories (MDLab) and are releasing close to 9.5GB of data stolen from infected machines.
<https://www.bleepingcomputer.com/news/security/maze-ransomware-not-getting-paid-leaks-data-left-and-right/>
Jan 2020MAZE Relaunches 'Name and Shame' Website
<https://www.infosecurity-magazine.com/news/maze-relaunches-name-and-shame/>
Feb 2020Breaking the Ice: A Deep Dive Into the IcedID Banking Trojan’s New Major Version Release
<https://securityintelligence.com/posts/breaking-the-ice-a-deep-dive-into-the-icedid-banking-trojans-new-major-version-release/>
Mar 2020Chubb Cyber Insurer Allegedly Hit By Maze Ransomware Attack
<https://www.bleepingcomputer.com/news/security/chubb-cyber-insurer-allegedly-hit-by-maze-ransomware-attack/>
Mar 2020The Maze ransomware group attacked the computer systems of Hammersmith Medicines Research (HMR), publishing personal details of thousands of former patients after the company declined to pay a ransom.
<https://www.computerweekly.com/news/252480425/Cyber-gangsters-hit-UK-medical-research-lorganisation-poised-for-work-on-Coronavirus>
Apr 2020On April 1st, 2020, Berkine became a victim of cyber-attack by the notorious Maze ransomware group that is known for its unique blackmailing practices.
<https://www.hackread.com/maze-ransomware-group-hacks-oil-giant-leaks-data/>
Apr 2020IT services giant Cognizant suffers Maze Ransomware cyber attack
<https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/>
Apr 2020The Maze Ransomware gang breached and successfully encrypted the systems of VT San Antonio Aerospace, as well as stole and leaked unencrypted files from the company's compromised devices
<https://www.bleepingcomputer.com/news/security/us-aerospace-services-provider-breached-by-maze-ransomware/>
Apr 2020Chipmaker MaxLinear reports data breach after Maze Ransomware attack
<https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/>
May 2020According to MAZE, egg producer and supplier Sparboe was cracked into on May 1, 2020. As proof of the attack, the threat group has shared a zip file of data it claims was exfiltrated from Sparboe's systems.
<https://www.infosecurity-magazine.com/news/maze-claims-ransomware-attack-on-us/>
May 2020Package delivery giant Pitney Bowes confirms second ransomware attack in 7 months
<https://www.zdnet.com/article/package-delivery-giant-pitney-bowes-confirms-second-ransomware-attack-in-7-months/>
May 2020Ransomware breach of Banco de Costa Rica
<https://www.bleepingcomputer.com/news/security/hackers-say-they-stole-millions-of-credit-cards-from-banco-bcr/>
<https://cybleinc.com/2020/05/22/maze-ransomware-operators-release-the-banco-de-costa-rica-data-leak-part-3/>
Jun 2020Cyber extortionists have stolen sensitive data from a company which supports the US Minuteman III nuclear deterrent.
<https://news.sky.com/story/hackers-steal-secrets-from-us-nuclear-missile-contractor-11999442>
Jun 2020The Maze Ransomware operators are claiming to have successfully attacked business services giant Conduent, where they stole unencrypted files and encrypted devices on their network.
<https://www.bleepingcomputer.com/news/security/business-services-giant-conduent-hit-by-maze-ransomware/>
Jun 2020MAZE maintains that it has encrypted and exfiltrated data from New York company Threadstone Advisors using ransomware.
<https://www.infosecurity-magazine.com/news/maze-attacks-victoria-beckhams/>
Jun 2020LG Electronics allegedly hit by Maze ransomware attack
<https://www.bleepingcomputer.com/news/security/lg-electronics-allegedly-hit-by-maze-ransomware-attack/>
Jun 2020Business giant Xerox allegedly suffers Maze Ransomware attack
<https://www.bleepingcomputer.com/news/security/business-giant-xerox-allegedly-suffers-maze-ransomware-attack/>
Jun 2020Maze Ransomware Operators Allegedly Targeted National Highways Authority of India (NHAI)
<https://cybleinc.com/2020/07/02/maze-ransomware-operators-allegedly-targeted-national-highways-authority-of-india-nhai-data-leak/>
Jul 2020Canon hit by Maze Ransomware attack, 10TB data allegedly stolen
<https://www.bleepingcomputer.com/news/security/canon-hit-by-maze-ransomware-attack-10tb-data-allegedly-stolen/>
Aug 2020The Maze hacker gang claims it has infected computer memory maker SK hynix with ransomware and leaked some of the files it stole.
<https://www.theregister.com/2020/08/20/maze_crew_sk_hynix/>
Aug 2020During the monitoring of deepweb and darkweb leaks, our researchers came across the leak disclosure post in which the Maze ransomware operators allegedly breached Hoa Sen Group and claimed to be in possession of the company’s sensitive data.
<https://cybleinc.com/2020/08/17/one-of-the-largest-steel-sheet-companies-in-southeast-asia-got-allegedly-breached-by-maze/>
Sep 2020Fairfax County schools hit by Maze ransomware, student data leaked
<https://www.bleepingcomputer.com/news/security/fairfax-county-schools-hit-by-maze-ransomware-student-data-leaked/>
Information<https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us>
<https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html>

Last change to this card: 17 September 2020

Download this actor card in PDF or JSON format

Previous: Subgroup: Pat Bear, APT-C-37
Next: TA2552

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key