From d4225c546958e96017686d510de264392a1d8baa Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Mon, 17 Apr 2023 11:16:21 +0200 Subject: [PATCH 1/7] add some SNOWYAMBER relationships --- clusters/microsoft-activity-group.json | 7 +++++++ clusters/threat-actor.json | 14 +++++++++++++ clusters/tool.json | 27 ++++++++++++++++++++++++-- 3 files changed, 46 insertions(+), 2 deletions(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 012e1bd..d611db8 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -315,6 +315,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" + }, + { + "dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" } ], "uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c929748..b1e8967 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2274,6 +2274,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" } ], "uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", @@ -8160,6 +8167,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" } ], "uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", diff --git a/clusters/tool.json b/clusters/tool.json index 1bc037b..3aab56e 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8711,7 +8711,7 @@ }, "related": [ { - "dest-uuid": "54c03b3c-6f97-46ea-a93f-f07bfd5cdd36,", + "dest-uuid": "54c03b3c-6f97-46ea-a93f-f07bfd5cdd36", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], @@ -8756,7 +8756,7 @@ "value": "AHK Bot" }, { - "description": "A tool first used in October 2022, abusing the Notion7 service to communicate and download further malicious files. Two versions of this tool have been observed.", + "description": "A tool first used in October 2022, abusing the Notion service to communicate and download further malicious files. Two versions of this tool have been observed.\n\nSNOWYAMBER is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. SNOWYAMBER abuses the NOTION collaboration service as a communication channel. It does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, SNOWYAMBER uses several antidetection and obfuscation techniques, including string encryption, dynamic API resolving, EDR/AV unhooking, and direct syscalls.", "meta": { "refs": [ "https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services", @@ -8764,6 +8764,29 @@ "https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d" ] }, + "related": [ + { + "dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], "uuid": "0125ef58-2675-426f-90eb-0b189961199a", "value": "SNOWYAMBER" }, From 6d5df91efab527dc68ded6fe645adb69f058a25e Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Mon, 17 Apr 2023 11:31:48 +0200 Subject: [PATCH 2/7] add relationship SNOWYAMBER & Notion --- clusters/online-service.json | 11 ++++++++++- clusters/tool.json | 9 ++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/clusters/online-service.json b/clusters/online-service.json index 92fdb22..1f45bd1 100644 --- a/clusters/online-service.json +++ b/clusters/online-service.json @@ -16,9 +16,18 @@ "https://www.notion.so/product" ] }, + "related": [ + { + "dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], "uuid": "5c807e49-dc90-4f80-b044-49bb990acb61", "value": "Notion" } ], - "version": 1 + "version": 2 } diff --git a/clusters/tool.json b/clusters/tool.json index 3aab56e..72716b9 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8785,6 +8785,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "used-by" + }, + { + "dest-uuid": "5c807e49-dc90-4f80-b044-49bb990acb61", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" } ], "uuid": "0125ef58-2675-426f-90eb-0b189961199a", @@ -8815,5 +8822,5 @@ "value": "QUARTERRIG" } ], - "version": 162 + "version": 163 } From 4a4fa6d16ff3d7e1877f9662d9bab2d04deca6a5 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Mon, 17 Apr 2023 11:32:51 +0200 Subject: [PATCH 3/7] fix versions --- clusters/microsoft-activity-group.json | 2 +- clusters/threat-actor.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index d611db8..ba6cdba 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -328,5 +328,5 @@ "value": "NOBELIUM" } ], - "version": 11 + "version": 12 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9c0ef00..0265c4a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10650,5 +10650,5 @@ "value": "Anonymous Sudan" } ], - "version": 263 + "version": 264 } From 6b8994271e08cf0ce32265625d268f3887003ab2 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 18 Apr 2023 12:20:20 +0200 Subject: [PATCH 4/7] add relationships for HALFRIG & QUATTERRIG --- clusters/microsoft-activity-group.json | 16 +++++++- clusters/threat-actor.json | 30 ++++++++++++++- clusters/tool.json | 52 ++++++++++++++++++++++++-- 3 files changed, 93 insertions(+), 5 deletions(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index ba6cdba..5063270 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -322,11 +322,25 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" + }, + { + "dest-uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" } ], "uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", "value": "NOBELIUM" } ], - "version": 12 + "version": 13 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0265c4a..dcceae3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2281,6 +2281,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" + }, + { + "dest-uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" } ], "uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", @@ -8176,6 +8190,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" + }, + { + "dest-uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" } ], "uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", @@ -10650,5 +10678,5 @@ "value": "Anonymous Sudan" } ], - "version": 264 + "version": 265 } diff --git a/clusters/tool.json b/clusters/tool.json index 72716b9..76d1f62 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8798,7 +8798,7 @@ "value": "SNOWYAMBER" }, { - "description": "Used for the first time in February 2023. This tool is distinguished from the others by the embedded code that runs the COBALT STRIKE tool.", + "description": "Used for the first time in February 2023. This tool is distinguished from the others by the embedded code that runs the COBALT STRIKE tool.\n\nHALFRIG is a stager for CobaltStrike Beacon that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. HALFRIG has significant code overlap with the QUARTERRIG and it is highly probable that it was developed by the same team.", "meta": { "refs": [ "https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services", @@ -8806,11 +8806,34 @@ "https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf" ] }, + "related": [ + { + "dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], "uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e", "value": "HALFRIG" }, { - "description": "A tool first used in March 2023, sharing part of the code with HALFRIG. Two versions of this tool were observed.", + "description": "A tool first used in March 2023, sharing part of the code with HALFRIG. Two versions of this tool were observed.\n\nQUARTERRIG is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. QUARTERRIG does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, QUARTERRIG heavily relies on obfuscation based on opaque predicates and multi-stage execution, interweaving shellcode and PE files. HALFRIG and QUARTERRIG share some of the codebase, suggesting that QUARTERRIG authors have access to both HALFRIG source code and the same obfuscation libraries.", "meta": { "refs": [ "https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services", @@ -8818,9 +8841,32 @@ "https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf" ] }, + "related": [ + { + "dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], "uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b", "value": "QUARTERRIG" } ], - "version": 163 + "version": 164 } From 8d2b9537f1c415adbd04161a67fd8456b3155367 Mon Sep 17 00:00:00 2001 From: Tobias Mainka Date: Wed, 19 Apr 2023 12:38:37 +0200 Subject: [PATCH 5/7] replace "sector" tag with "country" for matching data. this allows to be confirm with existing clusters. --- clusters/microsoft-activity-group.json | 88 +++++++++++++------------- 1 file changed, 44 insertions(+), 44 deletions(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 1cf8757..9a46090 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -325,7 +325,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "APT41", "BARIUM" @@ -339,7 +339,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "CHROMIUM", "ControlX" @@ -353,7 +353,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "DEV-0322" ] @@ -366,7 +366,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "APT40", "GADOLINIUM", @@ -383,7 +383,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "GALLIUM" ] @@ -396,7 +396,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "DEV-0234" ] @@ -409,7 +409,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "APT5", "Keyhole Panda", @@ -425,7 +425,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "APT15", "NICKEL", @@ -441,7 +441,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "APT30", "LotusBlossom", @@ -456,7 +456,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "HAFNIUM" ] @@ -469,7 +469,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "APT31", "ZIRCONIUM" @@ -669,7 +669,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "NEPTUNIUM", "Vice Leaker" @@ -683,7 +683,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "CURIUM", "TA456", @@ -698,7 +698,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "DEV-0228" ] @@ -711,7 +711,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "DEV-0343" ] @@ -724,7 +724,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "APT34", "Cobalt Gypsy", @@ -740,7 +740,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "Fox Kitten", "PioneerKitten", @@ -756,7 +756,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "MERCURY", "MuddyWater", @@ -773,7 +773,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "DEV-0500", "Moses Staff" @@ -787,7 +787,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "APT35", "Charming Kitten", @@ -802,7 +802,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "APT33", "HOLMIUM", @@ -817,7 +817,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "AMERICIUM", "Agrius", @@ -834,7 +834,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "DEV-0146", "ZeroCleare" @@ -848,7 +848,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "BOHRIUM" ] @@ -861,7 +861,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Lebanon", + "country": "LB", "synonyms": [ "POLONIUM" ] @@ -874,7 +874,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "North Korea", + "country": "KP", "synonyms": [ "Labyrinth Chollima", "Lazarus", @@ -889,7 +889,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "North Korea", + "country": "KP", "synonyms": [ "Kimsuky", "THALLIUM", @@ -904,7 +904,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "North Korea", + "country": "KP", "synonyms": [ "Konni", "OSMIUM" @@ -918,7 +918,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "North Korea", + "country": "KP", "synonyms": [ "LAWRENCIUM" ] @@ -931,7 +931,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "North Korea", + "country": "KP", "synonyms": [ "CERIUM" ] @@ -944,7 +944,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "North Korea", + "country": "KP", "synonyms": [ "BlueNoroff", "COPERNICIUM", @@ -959,7 +959,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "North Korea", + "country": "KP", "synonyms": [ "DEV-0530", "H0lyGh0st" @@ -1029,7 +1029,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Russia", + "country": "RU", "synonyms": [ "ACTINIUM", "Gamaredon", @@ -1045,7 +1045,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Russia", + "country": "RU", "synonyms": [ "DEV-0586" ] @@ -1058,7 +1058,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Russia", + "country": "RU", "synonyms": [ "APT28", "Fancy Bear", @@ -1073,7 +1073,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Russia", + "country": "RU", "synonyms": [ "BROMINE", "Crouching Yeti", @@ -1088,7 +1088,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Russia", + "country": "RU", "synonyms": [ "APT29", "Cozy Bear", @@ -1103,7 +1103,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Russia", + "country": "RU", "synonyms": [ "IRIDIUM", "Sandworm" @@ -1117,7 +1117,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Russia", + "country": "RU", "synonyms": [ "Callisto", "Reuse Team", @@ -1132,7 +1132,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Russia", + "country": "RU", "synonyms": [ "DEV-0665" ] @@ -1145,7 +1145,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "South Korea", + "country": "KR", "synonyms": [ "DUBNIUM", "Dark Hotel", @@ -1160,7 +1160,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Turkey", + "country": "TR", "synonyms": [ "SILICON", "Sea Turtle" @@ -1174,7 +1174,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Vietnam", + "country": "VN", "synonyms": [ "APT32", "BISMUTH", @@ -1185,5 +1185,5 @@ "value": "Canvas Cyclone" } ], - "version": 12 + "version": 13 } From 063ac9fc71eaa3a7e5eaef91830031f777a085d6 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Wed, 19 Apr 2023 15:10:25 +0200 Subject: [PATCH 6/7] jq? --- clusters/microsoft-activity-group.json | 86 +++++++++++++------------- 1 file changed, 43 insertions(+), 43 deletions(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 51a3d7c..375a2bd 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -343,10 +343,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "APT41", "BARIUM" @@ -357,10 +357,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "CHROMIUM", "ControlX" @@ -371,10 +371,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "DEV-0322" ] @@ -384,10 +384,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "APT40", "GADOLINIUM", @@ -401,10 +401,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "GALLIUM" ] @@ -414,10 +414,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "DEV-0234" ] @@ -427,10 +427,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "APT5", "Keyhole Panda", @@ -443,10 +443,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "APT15", "NICKEL", @@ -459,10 +459,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "APT30", "LotusBlossom", @@ -474,10 +474,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "HAFNIUM" ] @@ -487,10 +487,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "APT31", "ZIRCONIUM" @@ -687,10 +687,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "NEPTUNIUM", "Vice Leaker" @@ -701,10 +701,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "CURIUM", "TA456", @@ -716,10 +716,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "DEV-0228" ] @@ -729,10 +729,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "DEV-0343" ] @@ -742,10 +742,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "APT34", "Cobalt Gypsy", @@ -758,10 +758,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "Fox Kitten", "PioneerKitten", @@ -774,10 +774,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "MERCURY", "MuddyWater", @@ -791,10 +791,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "DEV-0500", "Moses Staff" @@ -805,10 +805,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "APT35", "Charming Kitten", @@ -820,10 +820,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "APT33", "HOLMIUM", @@ -835,10 +835,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "AMERICIUM", "Agrius", @@ -852,10 +852,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "DEV-0146", "ZeroCleare" @@ -866,10 +866,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "BOHRIUM" ] @@ -879,10 +879,10 @@ }, { "meta": { + "country": "LB", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "LB", "synonyms": [ "POLONIUM" ] @@ -892,10 +892,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "Labyrinth Chollima", "Lazarus", @@ -907,10 +907,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "Kimsuky", "THALLIUM", @@ -922,10 +922,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "Konni", "OSMIUM" @@ -936,10 +936,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "LAWRENCIUM" ] @@ -949,10 +949,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "CERIUM" ] @@ -962,10 +962,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "BlueNoroff", "COPERNICIUM", @@ -977,10 +977,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "DEV-0530", "H0lyGh0st" @@ -1047,10 +1047,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "ACTINIUM", "Gamaredon", @@ -1063,10 +1063,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "DEV-0586" ] @@ -1076,10 +1076,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "APT28", "Fancy Bear", @@ -1091,10 +1091,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "BROMINE", "Crouching Yeti", @@ -1106,10 +1106,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "APT29", "Cozy Bear", @@ -1121,10 +1121,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "IRIDIUM", "Sandworm" @@ -1135,10 +1135,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "Callisto", "Reuse Team", @@ -1150,10 +1150,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "DEV-0665" ] @@ -1163,10 +1163,10 @@ }, { "meta": { + "country": "KR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KR", "synonyms": [ "DUBNIUM", "Dark Hotel", @@ -1178,10 +1178,10 @@ }, { "meta": { + "country": "TR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "TR", "synonyms": [ "SILICON", "Sea Turtle" @@ -1192,10 +1192,10 @@ }, { "meta": { + "country": "VN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "VN", "synonyms": [ "APT32", "BISMUTH", From bf7005c1c3ee35542d561c2c428fdab409bdc4b6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 19 Apr 2023 16:23:02 +0200 Subject: [PATCH 7/7] chg: [microsoft-activity-group] jq all the things --- clusters/microsoft-activity-group.json | 86 +++++++++++++------------- 1 file changed, 43 insertions(+), 43 deletions(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 9a46090..dd428dc 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -322,10 +322,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "APT41", "BARIUM" @@ -336,10 +336,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "CHROMIUM", "ControlX" @@ -350,10 +350,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "DEV-0322" ] @@ -363,10 +363,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "APT40", "GADOLINIUM", @@ -380,10 +380,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "GALLIUM" ] @@ -393,10 +393,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "DEV-0234" ] @@ -406,10 +406,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "APT5", "Keyhole Panda", @@ -422,10 +422,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "APT15", "NICKEL", @@ -438,10 +438,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "APT30", "LotusBlossom", @@ -453,10 +453,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "HAFNIUM" ] @@ -466,10 +466,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "APT31", "ZIRCONIUM" @@ -666,10 +666,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "NEPTUNIUM", "Vice Leaker" @@ -680,10 +680,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "CURIUM", "TA456", @@ -695,10 +695,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "DEV-0228" ] @@ -708,10 +708,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "DEV-0343" ] @@ -721,10 +721,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "APT34", "Cobalt Gypsy", @@ -737,10 +737,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "Fox Kitten", "PioneerKitten", @@ -753,10 +753,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "MERCURY", "MuddyWater", @@ -770,10 +770,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "DEV-0500", "Moses Staff" @@ -784,10 +784,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "APT35", "Charming Kitten", @@ -799,10 +799,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "APT33", "HOLMIUM", @@ -814,10 +814,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "AMERICIUM", "Agrius", @@ -831,10 +831,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "DEV-0146", "ZeroCleare" @@ -845,10 +845,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "BOHRIUM" ] @@ -858,10 +858,10 @@ }, { "meta": { + "country": "LB", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "LB", "synonyms": [ "POLONIUM" ] @@ -871,10 +871,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "Labyrinth Chollima", "Lazarus", @@ -886,10 +886,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "Kimsuky", "THALLIUM", @@ -901,10 +901,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "Konni", "OSMIUM" @@ -915,10 +915,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "LAWRENCIUM" ] @@ -928,10 +928,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "CERIUM" ] @@ -941,10 +941,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "BlueNoroff", "COPERNICIUM", @@ -956,10 +956,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "DEV-0530", "H0lyGh0st" @@ -1026,10 +1026,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "ACTINIUM", "Gamaredon", @@ -1042,10 +1042,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "DEV-0586" ] @@ -1055,10 +1055,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "APT28", "Fancy Bear", @@ -1070,10 +1070,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "BROMINE", "Crouching Yeti", @@ -1085,10 +1085,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "APT29", "Cozy Bear", @@ -1100,10 +1100,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "IRIDIUM", "Sandworm" @@ -1114,10 +1114,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "Callisto", "Reuse Team", @@ -1129,10 +1129,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "DEV-0665" ] @@ -1142,10 +1142,10 @@ }, { "meta": { + "country": "KR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KR", "synonyms": [ "DUBNIUM", "Dark Hotel", @@ -1157,10 +1157,10 @@ }, { "meta": { + "country": "TR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "TR", "synonyms": [ "SILICON", "Sea Turtle" @@ -1171,10 +1171,10 @@ }, { "meta": { + "country": "VN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "VN", "synonyms": [ "APT32", "BISMUTH",