Axiom, Group 72

(Talos) Group 72 is a long standing threat actor group involved in Operation SMN, named Axiom by Novetta. The group is sophisticated, well funded, and possesses an established, defined software development methodology. The group targets high profile organizations with high value intellectual property in the manufacturing, industrial, aerospace, defense, media sectors. Geographically, the group almost exclusively targets organizations based in United States, Japan, Taiwan, and Korea. The preferred tactics of the group include watering-hole attacks, spear-phishing, and other web-based tactics.

The tools and infrastructure used by the attackers are common to a number of other threat actor groups which may indicate some degree of overlap. We have seen similar patterns used in domain registration for malicious domains, and the same tactics used in other threat actor groups leading us to believe that this group may be part of a larger organization that comprises many separate teams, or that different groups share tactics, code and personnel from time to time.

Though both this group and {{Winnti Group, Blackfly, Wicked Panda}} use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups� TTPs and targeting.

Could be related to {{APT 17, Deputy Dog, Elderwood, Sneaky Panda}} and/or {{APT 20, Violin Panda}}.