misp-galaxy/elements/apt-groups.json

{
  "version" : 1,
  "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups can be confused with their initial operation or campaign.",
  "authors": ["Alexandre Dulaunoy", "Florian Roth", "Various"],
  "type": "APT Groups",
  "groups"  : ["Comment Crew","Sofacy","APT 29","Turla Group","Energetic Bear","Sandworm","Anunak","TeamSpy Crew","BuhTrap"],
  "details" : [
                        {
                        "group": "Comment Crew",
                        "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks",
                        "refs": ["https://en.wikipedia.org/wiki/PLA_Unit_61398", "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf"],
                        "country": "CN",
                        "synonyms": ["Comment Panda", "PLA Unit 61398", "APT 1", "Advanced Persistent Threat 1", "Byzantine Candor"]
                        },
                        {
                        "group": "Sofacy",
                        "description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.",
                        "refs": ["https://en.wikipedia.org/wiki/Sofacy_Group"],
                        "country": "RU",
                        "synonyms": ["APT 28", "APT28", "Pawn Storm", "Fancy Bear", "Sednit"]
                        },
                        {
                        "group": "APT 29",
                        "refs": ["https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/"],
                        "country": "RU",
                        "synonyms": ["Dukes", "Group 100", "Cozy Duke", "EuroAPT", "CozyBear", "CozyCar", "Cozer", "Office Monkeys"]
                        },
                        {
                        "group": "Turla Group",
                        "country": "RU",
                        "synonyms": ["Turla", "Snake", "Venomous Bear", "Group 88"]
                        },
                        {
                        "group": "Energetic Bear",
                        "country": "RU",
                        "synonyms": ["Dragonfly", "Crouching Yeti", "Group 24"]
                        },
                        {
                        "group": "Sandworm",
                        "refs": ["http://www.isightpartners.com/2014/10/cve-2014-4114/"],
                        "country": "RU",
                        "synonyms": ["Sandworm Team"]
                        },
                        {
                        "group": "Anunak",
                        "description": "Groups targeting financial organizations or people with significant financial assets.",
                        "country": "RU",
                        "synonyms": ["Carbanak"]
                        },
                        {
                        "group": "TeamSpy Crew",
                        "refs": ["https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/"],
                        "country": "RU",
                        "synonyms": ["TeamSpy"]
                        },
                        {
                        "group": "BuhTrap",
                        "refs": ["http://www.welivesecurity.com/2015/11/11/operathion-buhtrap-malware-distributed-via-ammyy-com/"],
                        "country": "RU",
                        "synonyms": [""]
                        }
              ]
}
Example of galaxy including a cluster which is default type where you can add as much element as you want. The elements are the default values known by MISP but a local instance can add more or overwrite some elements. 2016-02-27 20:07:09 +00:00			`{`
			`"version" : 1,`
More groups from RU 2016-02-28 07:09:44 +00:00			`"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups can be confused with their initial operation or campaign.",`
			`"authors": ["Alexandre Dulaunoy", "Florian Roth", "Various"],`
Example of galaxy including a cluster which is default type where you can add as much element as you want. The elements are the default values known by MISP but a local instance can add more or overwrite some elements. 2016-02-27 20:07:09 +00:00			`"type": "APT Groups",`
groups array updated 2016-02-28 07:23:03 +00:00			`"groups" : ["Comment Crew","Sofacy","APT 29","Turla Group","Energetic Bear","Sandworm","Anunak","TeamSpy Crew","BuhTrap"],`
Example of galaxy including a cluster which is default type where you can add as much element as you want. The elements are the default values known by MISP but a local instance can add more or overwrite some elements. 2016-02-27 20:07:09 +00:00			`"details" : [`
			`{`
			`"group": "Comment Crew",`
			`"description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks",`
			`"refs": ["https://en.wikipedia.org/wiki/PLA_Unit_61398", "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf"],`
			`"country": "CN",`
			`"synonyms": ["Comment Panda", "PLA Unit 61398", "APT 1", "Advanced Persistent Threat 1", "Byzantine Candor"]`
			`},`
			`{`
			`"group": "Sofacy",`
			`"description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.",`
			`"refs": ["https://en.wikipedia.org/wiki/Sofacy_Group"],`
			`"country": "RU",`
			`"synonyms": ["APT 28", "APT28", "Pawn Storm", "Fancy Bear", "Sednit"]`
More groups from RU 2016-02-28 07:09:44 +00:00			`},`
			`{`
			`"group": "APT 29",`
			`"refs": ["https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/"],`
			`"country": "RU",`
			`"synonyms": ["Dukes", "Group 100", "Cozy Duke", "EuroAPT", "CozyBear", "CozyCar", "Cozer", "Office Monkeys"]`
			`},`
			`{`
			`"group": "Turla Group",`
			`"country": "RU",`
			`"synonyms": ["Turla", "Snake", "Venomous Bear", "Group 88"]`
			`},`
			`{`
			`"group": "Energetic Bear",`
			`"country": "RU",`
			`"synonyms": ["Dragonfly", "Crouching Yeti", "Group 24"]`
			`},`
			`{`
			`"group": "Sandworm",`
			`"refs": ["http://www.isightpartners.com/2014/10/cve-2014-4114/"],`
			`"country": "RU",`
			`"synonyms": ["Sandworm Team"]`
			`},`
			`{`
			`"group": "Anunak",`
			`"description": "Groups targeting financial organizations or people with significant financial assets.",`
			`"country": "RU",`
			`"synonyms": ["Carbanak"]`
			`},`
			`{`
			`"group": "TeamSpy Crew",`
			`"refs": ["https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/"],`
			`"country": "RU",`
			`"synonyms": ["TeamSpy"]`
			`},`
			`{`
			`"group": "BuhTrap",`
			`"refs": ["http://www.welivesecurity.com/2015/11/11/operathion-buhtrap-malware-distributed-via-ammyy-com/"],`
			`"country": "RU",`
			`"synonyms": [""]`
Example of galaxy including a cluster which is default type where you can add as much element as you want. The elements are the default values known by MISP but a local instance can add more or overwrite some elements. 2016-02-27 20:07:09 +00:00			`}`
			`]`
			`}`