From 370045b01db64084ab6d3cdf1c302ece4590358a Mon Sep 17 00:00:00 2001 From: Rony Date: Tue, 16 Aug 2022 09:30:29 +0000 Subject: [PATCH] Merge "red october" and "cloud atlas" to inception framework" --- clusters/threat-actor.json | 118 +++++++++++++------------------------ 1 file changed, 42 insertions(+), 76 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3df1d77..a4b63eb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6264,33 +6264,66 @@ "description": "This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.", "meta": { "attribution-confidence": "50", - "cfr-suspected-state-sponsor": "Unknown", + "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ - "South Africa", - "Malaysia", + "Afghanistan", + "Armenia", + "Azerbaijan", + "Belarus", + "Belgium", + "Czech Republic", + "Greece", + "India", + "Iran", + "Italy", + "Kazakhstan", "Kenya", + "Malaysia", + "Russia", + "South Africa", "Suriname", - "United Kingdom" + "Turkmenistan", + "Ukraine", + "United Kingdom", + "United States", + "Vietnam" ], "cfr-target-category": [ "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", + "country": "RU", "refs": [ "https://www.cfr.org/interactive/cyber-operations/inception-framework", "https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf", - "https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack/", + "https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf", - "https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/", + "https://securelist.com/the-red-october-campaign/57647", + "https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740", + "https://securelist.com/red-october-part-two-the-modules/57645", + "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083", + "https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899", + "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability", + "https://securelist.com/recent-cloud-atlas-activity/92016", "https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies", - "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/", "https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf", - "https://unit42.paloaltonetworks.com/atoms/clean-ursa/" + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", + "https://unit42.paloaltonetworks.com/atoms/clean-ursa", + "https://www.cfr.org/interactive/cyber-operations/cloud-atlas", + "https://www.cfr.org/cyber-operations/red-october", + "https://attack.mitre.org/groups/G0100" ], "synonyms": [ - "Clean Ursa" + "Clean Ursa", + "Cloud Atlas", + "OXYGEN", + "G0100", + "ATK116", + "Blue Odin" ] }, "uuid": "71ef51ca-a791-11e8-a026-07980ca910ca", @@ -6489,73 +6522,6 @@ "uuid": "75ae52b2-bca3-11e8-af90-a78f33eee6c1", "value": "Operation BugDrop" }, - { - "description": "This threat actor targets governments, diplomatic missions, academics, and energy and aerospace organizations for the purpose of espionage. Also known as the Rocra and believed to be the same threat actor as Cloud Atlas", - "meta": { - "attribution-confidence": "50", - "cfr-suspected-state-sponsor": "Russian Federation", - "cfr-suspected-victims": [ - "Russia", - "Belgium", - "Armenia", - "Ukraine", - "Belarus", - "Kazakhstan", - "India", - "Iran", - "United States", - "Greece", - "Azerbaijan", - "Afghanistan", - "Turkmenistan", - "Vietnam", - "Italy" - ], - "cfr-target-category": [ - "Government", - "Private sector" - ], - "cfr-type-of-incident": "Espionage", - "country": "RU", - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/red-october" - ], - "synonyms": [ - "the Rocra" - ] - }, - "uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0", - "value": "Red October" - }, - { - "description": "This threat actor targets governments and diplomatic organizations for espionage purposes.", - "meta": { - "attribution-confidence": "50", - "cfr-suspected-state-sponsor": "Russian Federation", - "cfr-suspected-victims": [ - "Russia", - "India", - "Kazakhstan", - "Czech Republic", - "Belarus" - ], - "cfr-target-category": [ - "Government" - ], - "cfr-type-of-incident": "Espionage", - "country": "RU", - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/cloud-atlas", - "https://attack.mitre.org/groups/G0100/" - ], - "synonyms": [ - "ATK116", - "G0100" - ] - }, - "uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126", - "value": "Cloud Atlas" - }, { "description": "This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission. ", "meta": {