From b3a25c57b3361dde64a014ecce13b345172507c7 Mon Sep 17 00:00:00 2001 From: jstnk9 Date: Fri, 16 Feb 2024 17:36:09 +0100 Subject: [PATCH] added new information in relation to the Mandiant-Google TAG Report New information added via https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf --- clusters/threat-actor.json | 220 ++++++++++++++++++++++++++++++++++--- 1 file changed, 207 insertions(+), 13 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 836beb2..554d520 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4240,7 +4240,32 @@ "https://securelist.com/gaza-cybergang-updated-2017-activity/82765/", "https://www.kaspersky.com/blog/gaza-cybergang/26363/", "https://attack.mitre.org/groups/G0021/", - "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga" + "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", + "https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf" + ], + "cfr-type-of-incident": "Espionage", + "cfr-suspected-state-sponsor": "Palestine", + "country": "PS", + "cfr-suspected-victims": [ + "United States", + "Israel", + "Palestine", + "Middle East", + "Europe" + ], + "cfr-target-category": [ + "Government", + "Defense", + "Energy", + "Finance", + "Healthcare", + "Pharmaceuticals", + "Education", + "Media", + "NGOs", + "Civil Society", + "Legal", + "Military" ], "synonyms": [ "Gaza Hackers Team", @@ -4250,7 +4275,8 @@ "Extreme Jackal", "Moonlight", "ALUMINUM SARATOGA", - "G0021" + "G0021", + "BLACKSTEM" ] }, "related": [ @@ -6049,10 +6075,39 @@ "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", "https://www.threatconnect.com/blog/kasperagent-malware-campaign/", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12425812", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064309/The-Desert-Falcons-targeted-attacks.pdf" + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064309/The-Desert-Falcons-targeted-attacks.pdf", + "https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf" + ], + "cfr-type-of-incident": "Espionage", + "cfr-suspected-state-sponsor": "Palestine", + "country": "PS", + "cfr-target-category": [ + "Government", + "Defense", + "Energy", + "Finance", + "Education", + "High-Tech", + "Telecoms", + "Transportation", + "Media", + "NGOs", + "Civil Society", + "Legal", + "Military" + ], + "cfr-suspected-victims": [ + "United States", + "Israel", + "Palestine", + "Middle East", + "Europe" ], "synonyms": [ "Desert Falcon", + "Renegade Jackal", + "DESERTVARNISH", + "UNC718", "Arid Viper", "APT-C-23" ] @@ -8473,18 +8528,38 @@ "description": "Lyceum is an Iranian APT group that has been active since at least 2014. They primarily target Middle Eastern governments and organizations in the energy and telecommunications sectors. Lyceum is known for using cyber espionage techniques and has been linked to other Iranian threat groups such as APT34. They have developed and deployed malware families like Shark and Milan, and have been observed using DNS tunneling and HTTPfor command and control communication.", "meta": { "country": "IR", + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-type-of-incident": "Espionage", + "attribution-confidence": "50", "refs": [ "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign", "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum", "https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/", "https://www.clearskysec.com/siamesekitten/", - "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" + "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf", + "https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf" + ], + "cfr-suspected-victims": [ + "Israel", + "Middle East" + ], + "cfr-target-category": [ + "Government", + "Energy", + "High-Tech", + "Telecomms", + "Education", + "Military", + "Defense" ], "synonyms": [ "COBALT LYCEUM", "HEXANE", + "UNC1530", "Spirlin", + "MYSTICDOME", "siamesekitten", + "Chrono Kitten", "Storm-0133" ] }, @@ -8635,18 +8710,46 @@ "description": "A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers.\nThe group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.", "meta": { "country": "IR", + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "attribution-confidence": "50", "refs": [ "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain", "https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897", "https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html", - "https://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/" + "https://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/", + "https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf" + ], + "cfr-type-of-incident": "Espionage", + "cfr-suspected-victims": [ + "United States", + "Israel", + "Middle East", + "Europe" + ], + "cfr-target-category": [ + "Defense", + "Government", + "Military", + "Finance", + "Energy", + "Healthcare", + "Pharmaceuticals", + "Telecoms", + "High-Tech", + "Media", + "NGOs", + "Civil Society", + "Legal", + "Rail", + "Transportation" ], "synonyms": [ "IMPERIAL KITTEN", "Yellow Liderc", "Imperial Kitten", "TA456", + "DUSTYCAVE", "Crimson Sandstorm" ] }, @@ -10527,18 +10630,26 @@ "Financial services", "Food and agriculture", "Government agencies and services", - "Healthcare and public health", + "Healthcare", + "Pharmaceuticals", "Information technology", - "Transportation systems" + "Transportation systems", + "NGOs", + "Civil Society", + "Military", + "Defense" ], "cfr-type-of-incident": "Espionage", "country": "LB", "refs": [ "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/", - "https://www.deepinstinct.com/blog/polonium-apt-group-uncovering-new-elements" + "https://www.deepinstinct.com/blog/polonium-apt-group-uncovering-new-elements", + "https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf" ], "synonyms": [ - "Plaid Rain" + "Plaid Rain", + "UNC4453", + "GREATRIFT" ] }, "related": [ @@ -11781,13 +11892,20 @@ "cfr-suspected-victims": [ "Australia", "Europe", + "Israel", "Middle East", "US" ], "cfr-target-category": [ "Education", "Government", + "Military", + "Defense", + "Energy", + "Finance", "Healthcare", + "Pharmaceuticals", + "Civil Society", "Legal", "Manufacturing", "Media", @@ -11795,11 +11913,15 @@ "Pharmaceuticals" ], "country": "IR", + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-type-of-incident": "Espionage", "refs": [ - "https://www.mandiant.com/resources/blog/apt42-charms-cons-compromises" + "https://www.mandiant.com/resources/blog/apt42-charms-cons-compromises", + "https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf" ], "synonyms": [ - "UNC788" + "UNC788", + "CALANQUE" ] }, "related": [ @@ -14262,15 +14384,36 @@ "description": "Cotton Sandstorm is an Iranian threat actor involved in hack-and-leak operations. They have targeted various organizations, including the French satirical magazine Charlie Hebdo, where they obtained and leaked personal information of over 200,000 customers. The group has been linked to the Iranian government and has been sanctioned by the US Treasury", "meta": { "country": "IR", + "attribution-confidence": "50", + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-type-of-incident": "Information Operations", + "cfr-suspected-victims": [ + "United States", + "Israel", + "Middle East", + "Europe" + ], + "cfr-target-category": [ + "Government", + "Finance", + "High-Tech", + "Telecoms", + "NGOs", + "Civil Society", + "Rail", + "Energy" + ], "refs": [ "https://blog.sekoia.io/iran-cyber-threat-overview/", "https://blogs.microsoft.com/on-the-issues/2023/02/03/dtac-charlie-hebdo-hack-iran-neptunium/", "https://www.ic3.gov/Media/News/2022/220126.pdf", - "https://www.microsoft.com/en-us/security/business/security-insider/threat-briefs/iran-response-for-charlie-hebdo-attacks/" + "https://www.microsoft.com/en-us/security/business/security-insider/threat-briefs/iran-response-for-charlie-hebdo-attacks/", + "https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf" ], "synonyms": [ "Emennet Pasargad", "Holy Souls", + "MARNANBRIDGE", "NEPTUNIUM" ] }, @@ -14996,13 +15139,64 @@ "description": "Recent campaigns suggest Hamas-linked actors may be advancing their\nTTPs to include intricate social engineering lures specially crafted to\nappeal to a niche group of high value targets. In September 2023, a Palestine-based group likely linked to Hamas targeted Israeli software engineers\nusing an elaborate social engineering ruse that ultimately installed malware\nand stole cookies. The attackers, which Google’s Threat Analysis Group (TAG) tracks as BLACKATOM, posed as employees of legitimate companies\nand reached out via LinkedIn to invite targets to apply for software development freelance opportunities. Targets included software engineers in\nthe Israeli military, as well as Israel’s aerospace and defense industry", "meta": { "country": "PS", + "cfr-type-of-incident": "Espionage", + "cfr-suspected-state-sponsor": "Palestine", + "attribution-confidence": "50", + "cfr-target-category": [ + "Military", + "Defense", + "Transportation" + ], + "cfr-suspected-victims": [ + "Israel" + ], "refs": [ "https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf" ] }, "uuid": "264687b8-82f4-43b5-b7bb-dc3e0b9246bc", "value": "Blackatom" + }, + { + "description": "BANISHED KITTEN is an Iranian state-nexus adversary active since at least 2008. While the adversary’s most prominent activity is the July and September 2022 disruptive attacks targeting Albanian government infrastructure and the use of the HomelandJustice persona to leak stolen data, BANISHED KITTEN has likely targeted dissidents using the AllinOneNeo malware family.", + "meta": { + "country": "IR", + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "attribution-confidence": "50", + "refs": [ + "https://www.crowdstrike.com/adversaries/banished-kitten/", + "https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf" + ], + "cfr-type-of-incident": [ + "Espionage", + "Information Operations", + "Sabotage" + ], + "cfr-suspected-victims": [ + "United States", + "Israel", + "Middle East", + "Europe" + ], + "cfr-target-category": [ + "Government", + "Healthcare", + "Pharmaceuticals", + "High-Tech", + "Telecomms", + "Education", + "Media", + "NGOs", + "Civil Society" + ], + "synonyms": [ + "DUNE", + "Storm-0842" + ] + }, + "uuid": "3682a08e-c1d9-4dff-ae08-774883dddba6", + "value": "BANISHED KITTEN" } ], "version": 300 -} +} \ No newline at end of file