From 4112a041f7883c45db31f35eb1588e97eca5f46f Mon Sep 17 00:00:00 2001
From: CERT-Bund <certbund@bsi.bund.de>
Date: Thu, 16 Mar 2017 17:02:55 +0100
Subject: [PATCH] Added groups, joined groups, added synonyms (see extended
 description)

Added: HammerPanda, Barium, Infy, Sima, Groundbait
Joined: StrongPity and Promethium
Synonyms: Lead as Winnti, Moonlight as MoleRats, FalloutTeam as DarkHotel, DustStorm as StonePanda, Skipper and Popeye as Pacifier
---
 clusters/threat-actor.json | 113 +++++++++++++++++++++++++++++++------
 1 file changed, 95 insertions(+), 18 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 07a87e2..325443d 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -163,7 +163,8 @@
     {
       "meta": {
         "synonyms": [
-          "DUBNIUM"
+          "DUBNIUM",
+          "Fallout Team"
         ],
         "refs": [
           "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/",
@@ -255,12 +256,15 @@
           "Group72",
           "Tailgater",
           "Ragebeast",
-          "Blackfly"
+          "Blackfly",
+	  "Lead",
+	  "Wicked Spider"
         ],
         "country": "CN",
         "refs": [
           "http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/",
-          "http://williamshowalter.com/a-universal-windows-bootkit/"
+          "http://williamshowalter.com/a-universal-windows-bootkit/",
+	  "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp"
         ]
       },
       "value": "Axiom"
@@ -360,7 +364,8 @@
           "APT 10",
           "menuPass",
           "happyyongzi",
-          "POTASSIUM"
+          "POTASSIUM",
+	  "DustStorm"
         ],
         "country": "CN"
       },
@@ -1045,7 +1050,12 @@
       "meta": {
         "refs": [
           "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf"
-        ]
+        ],
+        "synonyms": [
+          "Skipper",
+	  "Popeye"
+        ],
+        "country": "RU"
       },
       "value": "Pacifier APT",
       "description": "Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail."
@@ -1209,15 +1219,6 @@
       "description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.",
       "value": "Libyan Scorpions"
     },
-    {
-      "meta": {
-        "refs": [
-          "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users"
-        ],
-        "country": "TU"
-      },
-      "value": "StrongPity"
-    },
     {
       "meta": {
         "synonyms": [
@@ -1273,12 +1274,14 @@
       "description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”",
       "meta": {
         "refs": [
-          "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html"
+          "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html",
+          "http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks"
         ],
         "synonyms": [
           "Gaza Hackers Team",
           "Operation Molerats",
-          "Extreme Jackal"
+          "Extreme Jackal",
+	  "Moonlight"
         ]
       }
     },
@@ -1287,8 +1290,13 @@
       "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.",
       "meta": {
         "refs": [
-          "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
-        ]
+          "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
+          "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users"
+        ],
+        "synonyms": [
+          "StrongPity"
+        ],
+        "country": "TU"
       }
     },
     {
@@ -1408,6 +1416,75 @@
           "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution"
         ]
       }
+    },
+  {
+      "meta": {
+        "country": "CHN",
+	"synonyms": [
+          "Zhenbao"
+        ],
+        "refs": [
+          "http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242"
+        ]
+      },
+      "value": "Hammer Panda",
+      "description": "Hammer Panda is a group of suspected Chinese origin targeting organisations in Russia."
+    },
+  {
+      "meta": {
+         "country": "CHN",
+         "refs": [
+          "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp"
+        ]
+      },
+      "value": "Barium",
+      "description": "Barium is one of the groups using Winnti."
+    },
+ {
+      "meta": {
+         "country": "IRN",
+	 "synonyms": [
+          "Operation Mermaid"
+        ],
+         "refs": [
+          "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf"
+        ]
+      },
+      "value": "Infy",
+      "description": "Infy is a group of suspected Iranian origin."
+    }.
+    {
+      "meta": {
+         "country": "IRN",
+         "refs": [
+          "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf"
+        ]
+      },
+      "value": "Sima",
+      "description": "Sima is a group of suspected Iranian origin targeting Iranians in diaspora."
+    },
+    {
+      "meta": {
+         "country": "CHN",
+	 "synonyms": [
+          "Cloudy Omega"
+        ],
+         "refs": [
+          "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
+        ]
+      },
+      "value": "Blue Termite",
+      "description": "Blue Termite is a group of suspected Chinese origin active in Japan."
+    },
+    {
+      "meta": {
+         "country": "UKR",
+         "refs": [
+          "http://www.welivesecurity.com/2016/05/18/groundbait"
+        ]
+      },
+      "value": "Groundbait",
+      "description": "Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics."
     }
   ],
   "name": "Threat actor",