US Cyber Operations Groups

leave a comment »

My previous post on the Russian (offensive) Cyber Operations Groups became more popular than what I expected, so I decided to do something similar for other nation-state actors with multiple intelligence organizations performing offensive cyber operations. So, I picked the United States as the second one, and hopefully will continue with more of these in the future.

In the case of the US it was harder since there are very limited details publicly available. The main sources that I used for this one were (full list of sources used below the diagram):

• Government leaks (E. Snowden, Wikileaks, Shadow Brokers, etc.)
• Statements from government officials in reputable news outlets

You might notice that I didn’t expand the CYBERCOM (which is massive) and the reason is that although it’s publicly known that it now performs offensive cyber operations, there is no publicly known APT association. So, I decided to avoid making this a huge diagram for no reason. Same with the NSA that has multiple other divisions/offices performing cyber operations but there is no publicly known APT associated with them either.

I hope I got it right, but if you notice any mistakes, missing details or incorrect information please let me know to update it accordingly.

Last update: 29 APRIL 2021

Sources

• Wikileaks: Vault 7
• Wikileaks: Vault 8
• 360 Core Security: The CIA Hacking Group (APT-C-39) Conducts Cyber-Espionage Operation on China’s Critical Industries for 11 Years
• Symantec: Longhorn: Tools used by cyberespionage group linked to Vault 7
• Fifth Domain: New authorities mean lots of new missions at Cyber Command
• Wikipedia: United States Cyber Command
• Wikipedia: United States Special Operations Command
• Wikipedia: Equation Group
• Wikipedia: Tailored Access Operations
• Kaspersky Labs: EQUATION GROUP: Questions and Answers
• Kaspersky Labs: Equation: The Death Star of Malware Galaxy
• Kaspersky Labs: APT trends report Q1 2021
• Kasperksy Labs: Unraveling the Lamberts Toolkit
• ArsTechnica: US officials: Kaspersky “Slingshot” report burned anti-terror operation
• Defense Systems: Cyber operations come out of the shadows
• CyberScoop: Kaspersky’s ‘Slingshot’ report burned an ISIS-focused intelligence operation
• CyberScoop: FBI has a unit solely devoted to its ‘going dark’ problem
• Facebook: JSOC Intelligence Brigade
• Google: APT Groups and Operations
• U.S. Department of Justice: A Special Inquiry Regarding the Accuracy of FBI Statements Concerning its Capabilities to Exploit an iPhone Seized During the San Bernardino Terror Attack Investigation
• Motherboard: The FBI Used Classified Hacking Tools in Ordinary Criminal Investigations

ChangeLog

• Version 2.5 (29 April 2021): Kaspersky Labs correlated Lamberts with Longhorn APT group. Added it.
• Version 2.2 (23 April 2021): Add APT-C-39 to CCI and remove Vault 7 from TAO
• Version 2.0 (18 April 2021): Update SLINGSHOT attribution (thanks to Midwest and @slaeryan)
• Version 1.0 (18 April 2021): First publication.

Written by xorl

April 18, 2021 at 11:53

Posted in threat intelligence