Merge "red october" and "cloud atlas" to inception framework"

This commit is contained in:
Rony 2022-08-16 09:30:29 +00:00
parent 62b168600f
commit 370045b01d

View file

@ -6264,33 +6264,66 @@
"description": "This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.", "description": "This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.",
"meta": { "meta": {
"attribution-confidence": "50", "attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [ "cfr-suspected-victims": [
"South Africa", "Afghanistan",
"Malaysia", "Armenia",
"Azerbaijan",
"Belarus",
"Belgium",
"Czech Republic",
"Greece",
"India",
"Iran",
"Italy",
"Kazakhstan",
"Kenya", "Kenya",
"Malaysia",
"Russia",
"South Africa",
"Suriname", "Suriname",
"United Kingdom" "Turkmenistan",
"Ukraine",
"United Kingdom",
"United States",
"Vietnam"
], ],
"cfr-target-category": [ "cfr-target-category": [
"Government", "Government",
"Private sector" "Private sector"
], ],
"cfr-type-of-incident": "Espionage", "cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [ "refs": [
"https://www.cfr.org/interactive/cyber-operations/inception-framework", "https://www.cfr.org/interactive/cyber-operations/inception-framework",
"https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware", "https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf",
"https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack/", "https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf",
"https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/", "https://securelist.com/the-red-october-campaign/57647",
"https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740",
"https://securelist.com/red-october-part-two-the-modules/57645",
"https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083",
"https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899",
"https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability",
"https://securelist.com/recent-cloud-atlas-activity/92016",
"https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies", "https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
"https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
"https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf", "https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf",
"https://unit42.paloaltonetworks.com/atoms/clean-ursa/" "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://unit42.paloaltonetworks.com/atoms/clean-ursa",
"https://www.cfr.org/interactive/cyber-operations/cloud-atlas",
"https://www.cfr.org/cyber-operations/red-october",
"https://attack.mitre.org/groups/G0100"
], ],
"synonyms": [ "synonyms": [
"Clean Ursa" "Clean Ursa",
"Cloud Atlas",
"OXYGEN",
"G0100",
"ATK116",
"Blue Odin"
] ]
}, },
"uuid": "71ef51ca-a791-11e8-a026-07980ca910ca", "uuid": "71ef51ca-a791-11e8-a026-07980ca910ca",
@ -6489,73 +6522,6 @@
"uuid": "75ae52b2-bca3-11e8-af90-a78f33eee6c1", "uuid": "75ae52b2-bca3-11e8-af90-a78f33eee6c1",
"value": "Operation BugDrop" "value": "Operation BugDrop"
}, },
{
"description": "This threat actor targets governments, diplomatic missions, academics, and energy and aerospace organizations for the purpose of espionage. Also known as the Rocra and believed to be the same threat actor as Cloud Atlas",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"Russia",
"Belgium",
"Armenia",
"Ukraine",
"Belarus",
"Kazakhstan",
"India",
"Iran",
"United States",
"Greece",
"Azerbaijan",
"Afghanistan",
"Turkmenistan",
"Vietnam",
"Italy"
],
"cfr-target-category": [
"Government",
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/red-october"
],
"synonyms": [
"the Rocra"
]
},
"uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0",
"value": "Red October"
},
{
"description": "This threat actor targets governments and diplomatic organizations for espionage purposes.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"Russia",
"India",
"Kazakhstan",
"Czech Republic",
"Belarus"
],
"cfr-target-category": [
"Government"
],
"cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/cloud-atlas",
"https://attack.mitre.org/groups/G0100/"
],
"synonyms": [
"ATK116",
"G0100"
]
},
"uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126",
"value": "Cloud Atlas"
},
{ {
"description": "This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission. ", "description": "This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission. ",
"meta": { "meta": {