From d9af67d1dfedc4ec637d79e4e40755d11f23a15c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 24 Jul 2024 03:39:38 -0700 Subject: [PATCH 1/3] [threat-actors] Add Threat Actor 888 --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d30ad43..1a044f0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16399,6 +16399,19 @@ }, "uuid": "000d8bbf-cb6f-4f7b-89a4-9c136ac4bc5a", "value": "Nullbulge" + }, + { + "description": "Threat actor 888 is a hacker active in 2024, targeting companies for data breaches. They've hit Microsoft, BMW (Hong Kong), and others in tech, freight, and oil & gas industries", + "meta": { + "refs": [ + "https://cybersecuritynews.com/threats-claimimg-breach/", + "https://www.cloudways.com/blog/hacker-allegedly-leaks-data-from-shopify-breach-on-breachforums/", + "https://twitter.com/H4ckManac/status/1810569160180515171", + "https://medium.com/@DoingFedTime/80-000-records-exposed-in-shell-data-breach-by-threat-actor-888-64c407dfac94" + ] + }, + "uuid": "8f31b9b1-44c9-4b7f-b850-7cf02c306e25", + "value": "Threat Actor 888" } ], "version": 312 From 49093ecf161bd7406284939fa0eebda2b7b7ee2b Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 24 Jul 2024 03:39:38 -0700 Subject: [PATCH 2/3] [threat-actors] Add UAC-0063 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1a044f0..ae20855 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16412,6 +16412,17 @@ }, "uuid": "8f31b9b1-44c9-4b7f-b850-7cf02c306e25", "value": "Threat Actor 888" + }, + { + "description": "UAC-0063 is a threat actor linked to Russian APT28, known for targeting government entities in Ukraine and Central Asia for cyber espionage operations. They utilize keyloggers, backdoors, and malware like Hatvibe and Cherryspy to compromise systems and exfiltrate sensitive information. The group has been active since at least 2021 and has shown interest in targeting organizations in Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India. Their TTPs include spear-phishing campaigns and exploiting vulnerabilities in software products like HFS HTTP File Server and Rejetto file-sharing servers.", + "meta": { + "refs": [ + "https://socprime.com/blog/uac-0063-attack-detection-hackers-target-ukrainian-research-institutions-using-hatvibe-cherryspy-and-cve-2024-23692/", + "https://cert.gov.ua/article/4697016" + ] + }, + "uuid": "9565bf78-7c9c-41cd-9ed0-58031f6d8978", + "value": "UAC-0063" } ], "version": 312 From a3eefc40584f9e7f5cb2c8a26dfa6440dea9a5de Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Wed, 24 Jul 2024 03:39:39 -0700 Subject: [PATCH 3/3] [threat actors] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fa7dad6..d926bf6 100644 --- a/README.md +++ b/README.md @@ -543,7 +543,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *711* elements +Category: *actor* - source: *MISP Project* - total: *713* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]