Added groups, joined groups, added synonyms (see extended description)

Added: HammerPanda, Barium, Infy, Sima, Groundbait
Joined: StrongPity and Promethium
Synonyms: Lead as Winnti, Moonlight as MoleRats, FalloutTeam as DarkHotel, DustStorm as StonePanda, Skipper and Popeye as Pacifier
This commit is contained in:
CERT-Bund 2017-03-16 17:02:55 +01:00 committed by GitHub
parent 71ad9099c4
commit 4112a041f7

View file

@ -163,7 +163,8 @@
{
"meta": {
"synonyms": [
"DUBNIUM"
"DUBNIUM",
"Fallout Team"
],
"refs": [
"https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/",
@ -255,12 +256,15 @@
"Group72",
"Tailgater",
"Ragebeast",
"Blackfly"
"Blackfly",
"Lead",
"Wicked Spider"
],
"country": "CN",
"refs": [
"http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/",
"http://williamshowalter.com/a-universal-windows-bootkit/"
"http://williamshowalter.com/a-universal-windows-bootkit/",
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp"
]
},
"value": "Axiom"
@ -360,7 +364,8 @@
"APT 10",
"menuPass",
"happyyongzi",
"POTASSIUM"
"POTASSIUM",
"DustStorm"
],
"country": "CN"
},
@ -1045,7 +1050,12 @@
"meta": {
"refs": [
"http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf"
]
],
"synonyms": [
"Skipper",
"Popeye"
],
"country": "RU"
},
"value": "Pacifier APT",
"description": "Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail."
@ -1209,15 +1219,6 @@
"description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.",
"value": "Libyan Scorpions"
},
{
"meta": {
"refs": [
"https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users"
],
"country": "TU"
},
"value": "StrongPity"
},
{
"meta": {
"synonyms": [
@ -1273,12 +1274,14 @@
"description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”",
"meta": {
"refs": [
"https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html"
"https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html",
"http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks"
],
"synonyms": [
"Gaza Hackers Team",
"Operation Molerats",
"Extreme Jackal"
"Extreme Jackal",
"Moonlight"
]
}
},
@ -1287,8 +1290,13 @@
"description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
"https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users"
],
"synonyms": [
"StrongPity"
],
"country": "TU"
}
},
{
@ -1408,6 +1416,75 @@
"http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution"
]
}
},
{
"meta": {
"country": "CHN",
"synonyms": [
"Zhenbao"
],
"refs": [
"http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242"
]
},
"value": "Hammer Panda",
"description": "Hammer Panda is a group of suspected Chinese origin targeting organisations in Russia."
},
{
"meta": {
"country": "CHN",
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp"
]
},
"value": "Barium",
"description": "Barium is one of the groups using Winnti."
},
{
"meta": {
"country": "IRN",
"synonyms": [
"Operation Mermaid"
],
"refs": [
"https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf"
]
},
"value": "Infy",
"description": "Infy is a group of suspected Iranian origin."
}.
{
"meta": {
"country": "IRN",
"refs": [
"https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf"
]
},
"value": "Sima",
"description": "Sima is a group of suspected Iranian origin targeting Iranians in diaspora."
},
{
"meta": {
"country": "CHN",
"synonyms": [
"Cloudy Omega"
],
"refs": [
"https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
]
},
"value": "Blue Termite",
"description": "Blue Termite is a group of suspected Chinese origin active in Japan."
},
{
"meta": {
"country": "UKR",
"refs": [
"http://www.welivesecurity.com/2016/05/18/groundbait"
]
},
"value": "Groundbait",
"description": "Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk Peoples Republics."
}
],
"name": "Threat actor",