Advanced Persistent Threat (APT) Groups

Information about threat actors known to target VMware products and infrastructure

Threat Intelligence Information

This page contains information about known threat actors targeting VMware products. This information is provided for educational and defensive purposes only.

What are APT Groups?

Advanced Persistent Threat (APT) groups are sophisticated threat actors, often state-sponsored, that conduct targeted cyber attacks over extended periods. These groups typically have significant resources, technical capabilities, and specific objectives such as espionage, intellectual property theft, or sabotage.

Why Target Virtualization?

Virtualization infrastructure, such as VMware products, are high-value targets for APT groups because they provide access to multiple systems from a single point of compromise. By targeting hypervisors and management servers, attackers can potentially access all virtual machines and data within an environment.

APT29
Also known as: Midnight Blizzard, Cozy Bear, STORM-0866, NOBELIUM
Russia

APT29 is a Russian state-sponsored threat actor associated with the Russian Foreign Intelligence Service (SVR). The group has been active since at least 2008 and is known for targeting government organizations, think tanks, healthcare, and technology sectors.

Targeted VMware Products

Workspace ONE Access
Identity Manager
vCenter Server

Exploited Vulnerabilities

CVE-2022-22954
CVE-2020-4006
UNC3886
Also known as: VIRTUALPITA
Unknown

UNC3886 is a sophisticated threat actor that specifically targets virtualization infrastructure, particularly VMware ESXi and vCenter Server environments. The group has been active since at least 2021 and demonstrates advanced capabilities in developing and deploying custom malware for VMware environments.

Targeted VMware Products

ESXi
vCenter Server
vSphere

Exploited Vulnerabilities

CVE-2023-34048
CVE-2022-31699
CVE-2021-22045
CVE-2022-31705
Lazarus Group
Also known as: APT38, Hidden Cobra, Zinc
North Korea

Lazarus Group is a North Korean state-sponsored threat actor associated with the Reconnaissance General Bureau. The group has been active since at least 2009 and is known for targeting financial institutions, cryptocurrency exchanges, and defense organizations for both espionage and financial gain.

Targeted VMware Products

ESXi
vCenter Server
Horizon

Exploited Vulnerabilities

CVE-2021-22005
CVE-2021-21974
ESXiArgs Operators
Also known as: ESXiArgs Ransomware Group
Unknown

The ESXiArgs operators are a threat group responsible for the ESXiArgs ransomware campaign that targeted vulnerable VMware ESXi servers worldwide in February 2023. The group exploits known vulnerabilities in ESXi to deploy ransomware that encrypts virtual machine files.

Targeted VMware Products

ESXi

Exploited Vulnerabilities

CVE-2021-21974

Attribution Disclaimer

Attribution of cyber attacks to specific threat actors is based on available intelligence and may change as new information becomes available. The information provided here represents the current understanding of these threat actors but should not be considered definitive or final.