From ff9a8ddfe35ece880d286cbd2385f7648450862c Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 7 Nov 2023 14:47:11 +0100 Subject: [PATCH 01/15] [threat-actors] Add BadRory --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fca33c9..6498302 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12501,6 +12501,16 @@ }, "uuid": "0e9bbcf1-9273-4438-b437-287317bfb989", "value": "TA499" + }, + { + "description": "Kaspersky researchers have identified a new APT group named BadRory that has mounted two waves of spear-phishing attacks against Russian organizations. The campaigns took place in October 2022 and April 2023 and leveraged boobytrapped Office emails. Targets included government entities, military contractors, universities, and hospitals.", + "meta": { + "refs": [ + "https://securelist.com/apt-trends-report-q3-2023/110752/" + ] + }, + "uuid": "aa74d1f3-b294-405b-bb18-3ac1c13560a1", + "value": "BadRory" } ], "version": 292 From 10d27206a75236736273f5dad0113c17546c516f Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 7 Nov 2023 14:47:11 +0100 Subject: [PATCH 02/15] [threat-actors] Add SharpPanda --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6498302..d0ebb86 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12511,6 +12511,19 @@ }, "uuid": "aa74d1f3-b294-405b-bb18-3ac1c13560a1", "value": "BadRory" + }, + { + "description": "SharpPanda, an APT group originating from China, has seen a rise in its cyber-attack operations starting from at least 2018. The APT group utilizes spear-phishing techniques to obtain initial access, employing a combination of outdated Microsoft Office document vulnerabilities, novel evasion techniques, and highly potent backdoor malware.", + "meta": { + "country": "CN", + "refs": [ + "https://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-sharppanda-chinese-apt-group-targets-southeast-asian-government-active-iocs", + "https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/" + ] + }, + "uuid": "7133a722-088c-4d5a-b2e0-a1f9915f807d", + "value": "SharpPanda" } ], "version": 292 From bc8904110b2507bcde86e76846c86c89b4921392 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 7 Nov 2023 14:47:11 +0100 Subject: [PATCH 03/15] [threat-actors] Add Guacamaya --- clusters/threat-actor.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d0ebb86..b5c6426 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12524,6 +12524,22 @@ }, "uuid": "7133a722-088c-4d5a-b2e0-a1f9915f807d", "value": "SharpPanda" + }, + { + "description": "Guacamaya has conducted multiple hack and leak campaigns against military and police agencies and mining companies across Latin America, which they believe have played a role in the region’s environmental degradation and repression of native populations.", + "meta": { + "refs": [ + "https://cyberscoop.com/environmentalist-hacktivist-collective-mining-company/", + "https://srslyriskybiz.substack.com/p/recent-cyber-chaos-is-a-structural", + "https://finance.yahoo.com/news/analysis-mexico-data-hack-exposes-003101651.html", + "https://www.redpacketsecurity.com/guacamaya-hacktivists-stole-sensitive-data-from-mexico-and-latin-american-countries/", + "https://research.checkpoint.com/2022/3rd-october-threat-intelligence-report/", + "https://www.cyberscoop.com/central-american-hacking-group-releases-emails/", + "https://therecord.media/mexican-army-spyware" + ] + }, + "uuid": "51f056f5-b596-446e-9394-a310af4e2e75", + "value": "Guacamaya" } ], "version": 292 From d1f382602c7ef63e64c44feeee287f518ffd371e Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 7 Nov 2023 14:47:11 +0100 Subject: [PATCH 04/15] [threat-actors] Add DustSquad --- clusters/threat-actor.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b5c6426..2430253 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12540,6 +12540,22 @@ }, "uuid": "51f056f5-b596-446e-9394-a310af4e2e75", "value": "Guacamaya" + }, + { + "description": "Prodaft researchers have published a report on Paperbug, a cyber-espionage campaign carried out by suspected Russian-speaking group Nomadic Octopus and which targeted entities in Tajikistan. According to Prodaft, known compromised victims included high-ranking government officials, telcos, and public service infrastructures. Compromised devices also included OT devices, besides your typical computers, servers, and mobile devices. In typical Prodaft fashion, the company also gained access to one of the group's C&C server backend panels.", + "meta": { + "aliases": [ + "Nomadic Octopus" + ], + "country": "RU", + "refs": [ + "https://securelist.com/octopus-infested-seas-of-central-asia/88200/", + "https://www.prodaft.com/m/reports/PAPERBUG_TLPWHITE-1.pdf", + "https://www.virusbulletin.com/conference/vb2018/abstracts/nomadic-octopus-cyber-espionage-central-asia/" + ] + }, + "uuid": "7b227f41-efea-4dc0-8a2a-148893795ce4", + "value": "DustSquad" } ], "version": 292 From 58fb9162b0322bf37958b47eab43e1179a7aae57 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 7 Nov 2023 14:47:12 +0100 Subject: [PATCH 05/15] [threat-actors] Add KromSec --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2430253..03f33ff 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12556,6 +12556,17 @@ }, "uuid": "7b227f41-efea-4dc0-8a2a-148893795ce4", "value": "DustSquad" + }, + { + "description": "KromSec is a hacktivist group that claims to be composed of hackers, activists, writers, and journalists. The group has been involved in a number of high-profile cyberattacks, including a cyber offensive against Iran in September 2022 and the sale of the database of the Iran Ministry of Industries and Mines on a hacker forum in November 2023. KromSec's attacks have been met with mixed reactions, but the group has quickly made a name for itself as a significant threat to governments and organizations around the world.", + "meta": { + "refs": [ + "https://thecyberexpress.com/kromsec-sells-iran-ministry-database-dark-web/", + "https://cybershafarat.com/2022/11/17/kromsec-outs-anonopsse-as-iranian-regime-makes-statement/" + ] + }, + "uuid": "f4b81cb7-0492-414f-8bf4-cc806cbff1a9", + "value": "KromSec" } ], "version": 292 From 409363267412188bc30ee15fd650ef9ceef22022 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 7 Nov 2023 14:47:12 +0100 Subject: [PATCH 06/15] [threat-actors] Add Cyber Av3ngers --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 03f33ff..5eb2dcb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12567,6 +12567,19 @@ }, "uuid": "f4b81cb7-0492-414f-8bf4-cc806cbff1a9", "value": "KromSec" + }, + { + "description": "The hacktivist group ‘Cyber Av3ngers’ has historically claimed attacks on Israel’s critical infrastructures. It has been launching DDoS attacks and claiming breach of Israeli networks with supporting data leaks.", + "meta": { + "country": "IR", + "refs": [ + "https://securelist.com/a-hack-in-hand-is-worth-two-in-the-bush/110794/", + "https://cyberwarzone.com/cyber-av3ngers-claims-infiltration-of-israeli-water-treatment-stations-amid-ongoing-conflict/", + "https://cyberwarzone.com/hacking-group-cyber-av3ngers-claims-responsibility-for-yavne-power-outages-what-you-need-to-know/" + ] + }, + "uuid": "286db62d-859d-48e2-9601-1b7abde9f3c3", + "value": "Cyber Av3ngers" } ], "version": 292 From 40fb100ff9a6575d5cca3967c93b6fd17ed9ac99 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 7 Nov 2023 14:47:12 +0100 Subject: [PATCH 07/15] [threat-actors] Add Altahrea Team --- clusters/threat-actor.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5eb2dcb..98f0365 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12580,6 +12580,22 @@ }, "uuid": "286db62d-859d-48e2-9601-1b7abde9f3c3", "value": "Cyber Av3ngers" + }, + { + "description": "Altahrea Team is a pro-Iranian hacking group that has been active since at least 2020. The group has claimed responsibility for a number of cyberattacks, including DDoS attacks against Israeli websites, a hack of the Israel Airports Authority website, and a cyberattack on the Orot Yosef power plant in Israel.", + "meta": { + "country": "IQ", + "refs": [ + "https://securelist.com/ddos-attacks-in-q2-2022/107025/", + "https://www.timesofisrael.com/cyberattack-on-health-ministry-website-blocks-overseas-access/", + "https://techmonitor.ai/technology/cybersecurity/alahrea-team-power-plant-fire-israel", + "https://www.presstv.ir/Detail/2022/07/27/686324/Iraqi-hacker-group--ALtahrea-Team--targets-Israeli-IT,-e-commerce-companies-with-major-cyber-attack", + "https://www.hackread.com/pro-iran-altahrea-hit-port-of-london-website-ddos-attack/", + "https://nsi-globalcounterintelligence.com/cyber-security/pro-iran-hackers-target-israel-airports-authority-website/" + ] + }, + "uuid": "b87f9ba7-f480-4ed5-b60e-b880e6b519ea", + "value": "Altahrea Team" } ], "version": 292 From 2111f509683602178ee38b9a4a24f78ea48ca0dc Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 7 Nov 2023 14:47:12 +0100 Subject: [PATCH 08/15] [threat-actors] Add 1937CN --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 98f0365..b9ff09d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12596,6 +12596,20 @@ }, "uuid": "b87f9ba7-f480-4ed5-b60e-b880e6b519ea", "value": "Altahrea Team" + }, + { + "description": "1937CN is a Chinese hacking group that has been active since at least 2013. The group is known for targeting Vietnamese organizations, including government agencies, businesses, and media outlets. 1937CN has been linked to a number of high-profile cyberattacks, including the hacking of Vietnam Airlines in 2016 and the defacement of Vietnamese government websites in 2015.", + "meta": { + "country": "CN", + "refs": [ + "https://www.trendmicro.com/en_us/research/23/b/earth-zhulong-familiar-patterns-target-southeast-asian-firms.html", + "https://www.recordedfuture.com/international-hacktivism-analysis/", + "http://securityaffairs.co/wordpress/49876/hacking/china-1937cn-team-vietnam.html", + "https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a" + ] + }, + "uuid": "391573c5-9c21-4984-b6b8-97d42623d6cc", + "value": "1937CN" } ], "version": 292 From 798cebc970690a278200d3c9253ff76e75ba4c72 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 7 Nov 2023 14:47:12 +0100 Subject: [PATCH 09/15] [threat-actors] Add ShroudedSnooper --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b9ff09d..4928f12 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12610,6 +12610,17 @@ }, "uuid": "391573c5-9c21-4984-b6b8-97d42623d6cc", "value": "1937CN" + }, + { + "description": "In September 2023, Cisco Talos identified a new malware family that it calls ‘HTTPSnoop’ being deployed against telecommunications providers in the Middle East. They also discovered a sister implant to 'HTTPSnoop,’ that they are naming ‘PipeSnoop,’ which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. Based on these findings, the researchers assess with high confidence that both implants belong to a new intrusion set that it named ‘ShroudedSnooper.’", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/introducing-shrouded-snooper/", + "https://www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/" + ] + }, + "uuid": "3437c5a5-4c42-4665-99df-b17bc57a7ba6", + "value": "ShroudedSnooper" } ], "version": 292 From 1246088d765b30b93318257b6a1078d3a2b13162 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 7 Nov 2023 14:47:12 +0100 Subject: [PATCH 10/15] [threat-actors] Add ShinyHunters --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4928f12..76516ec 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12621,6 +12621,18 @@ }, "uuid": "3437c5a5-4c42-4665-99df-b17bc57a7ba6", "value": "ShroudedSnooper" + }, + { + "description": "ShinyHunters is a cybercriminal group of unknown origin that is motivated by financial gain. The group is known for its sophisticated attacks against a wide range of targets, including businesses, organizations, and government agencies. ShinyHunters typically uses phishing attacks and exploit kits to gain access to victim networks, where they deploy malware to steal sensitive data, such as names, addresses, phone numbers, Social Security numbers, and credit card information.", + "meta": { + "refs": [ + "https://cyberwarzone.com/shinyhunters-22-year-old-member-pleads-guilty-to-cyber-extortion-causing-6-million-in-damage/", + "https://www.bitdefender.com/blog/hotforsecurity/pizza-hut-australia-leaks-one-million-customers-details-claims-shinyhunters-hacking-group/", + "https://www.justice.gov/usao-wdwa/pr/alleged-french-cybercriminal-appear-seattle-indictment-conspiracy-computer-intrusion" + ] + }, + "uuid": "d4fd0a30-15d4-4dfd-bf98-beff5fe34c33", + "value": "ShinyHunters" } ], "version": 292 From c3b6878cf366e2e636f605de52697dfe795b4be4 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 7 Nov 2023 14:47:12 +0100 Subject: [PATCH 11/15] [threat-actors] Add IronHusky --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 76516ec..cd990c5 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12633,6 +12633,18 @@ }, "uuid": "d4fd0a30-15d4-4dfd-bf98-beff5fe34c33", "value": "ShinyHunters" + }, + { + "description": "IronHusky is a Chinese-based threat actor first attributed in July 2017 targeting Russian and Mongolian governments, as well as aviation companies and research institutes. Since their initial attacks ceased in 2018, they have been working on a new remote access trojan dubbed MysterySnail.", + "meta": { + "country": "CN", + "refs": [ + "https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/", + "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk175885" + ] + }, + "uuid": "34d1e532-3d47-44cb-b87c-7e9cbba2321e", + "value": "IronHusky" } ], "version": 292 From 7163ed20680a912445e0bea54b908c6080895ad4 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 7 Nov 2023 14:47:12 +0100 Subject: [PATCH 12/15] [threat-actors] Add UserSec --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index cd990c5..de791d9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12645,6 +12645,20 @@ }, "uuid": "34d1e532-3d47-44cb-b87c-7e9cbba2321e", "value": "IronHusky" + }, + { + "description": "UserSec is a pro-Russian hacking group that has been active since at least 2022. The group is known for its DDoS attacks and has collaborated with other pro-Russian hacking groups. In May 2023, UserSec announced a cyber campaign targeting NATO member states and joined forces with KillNet to launch attacks against NATO.", + "meta": { + "country": "RU", + "refs": [ + "https://therecord.media/scandinavian-airlines-cyberattack-anonymous-sudan/", + "https://blog.cyble.com/2023/05/24/notable-ddos-attack-tools-and-services-supporting-hacktivist-operations-in-2023/", + "https://socradar.io/cyber-shadows-pact-darknet-parliament-killnet-anonymous-sudan-revil/", + "https://socradar.io/dark-peep-2-war-and-a-piece-of-hilarity/" + ] + }, + "uuid": "d0e1811e-53f9-48b5-b2ef-107e0f53239b", + "value": "UserSec" } ], "version": 292 From c0fd66e3cd7e3c76fff3afade1bb6a6f834a991c Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 7 Nov 2023 14:47:12 +0100 Subject: [PATCH 13/15] [threat-actors] Add UAC-0094 --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index de791d9..d3bbbf8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12659,6 +12659,18 @@ }, "uuid": "d0e1811e-53f9-48b5-b2ef-107e0f53239b", "value": "UserSec" + }, + { + "description": "State Service of Special Communication and Information Protection of Ukraine spotted a new wave of cyber attacks aimed at gaining access to users’ Telegram accounts. The Ukrainian CERT attributes the hacking campaign to threat actors tracked as UAC-0094. Threat actors are targeting Telegram users by sending Telegram messages with malicious links to the Telegram website in order to gain unauthorized access to the records and transfer a one-time code from SMS.", + "meta": { + "country": "RU", + "refs": [ + "https://cert.gov.ua/article/39253", + "https://vulners.com/thn/THN:4C1C2CD10F20E08DD74D465450DF3F17?utm_source=rss&utm_medium=rss&utm_campaign=rss" + ] + }, + "uuid": "def3c4e4-9d59-478f-8895-d3850cfa99c3", + "value": "UAC-0094" } ], "version": 292 From a1f64c63de3f5ea821a2098d52ee115ce9ff5f48 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 7 Nov 2023 14:47:12 +0100 Subject: [PATCH 14/15] [threat-actors] Add TraderTraitor --- clusters/threat-actor.json | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d3bbbf8..252012e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12671,6 +12671,23 @@ }, "uuid": "def3c4e4-9d59-478f-8895-d3850cfa99c3", "value": "UAC-0094" + }, + { + "description": "TraderTraitor targets blockchain companies through spear-phishing messages. The group sends these messages to employees, particularly those in system administration or software development roles, on various communication platforms, intended to gain access to these start-up and high-tech companies. TraderTraitor may be the work of operators previously responsible for APT38 activity.", + "meta": { + "aliases": [ + "Jade Sleet", + "UNC4899" + ], + "country": "KP", + "refs": [ + "https://www.mandiant.com/resources/blog/north-korea-supply-chain", + "https://us-cert.cisa.gov/ncas/alerts/aa22-108a", + "https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023" + ] + }, + "uuid": "825abfd9-7238-4438-a9e7-c08791f4df4e", + "value": "TraderTraitor" } ], "version": 292 From 32062206be17f25a01fed20c16a8f7ff1a2dfac5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 7 Nov 2023 16:08:19 +0100 Subject: [PATCH 15/15] fix: [threat-actor] replace `aliases` -> `synonyms` + version updated --- clusters/threat-actor.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 252012e..2f88cb7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12544,14 +12544,14 @@ { "description": "Prodaft researchers have published a report on Paperbug, a cyber-espionage campaign carried out by suspected Russian-speaking group Nomadic Octopus and which targeted entities in Tajikistan. According to Prodaft, known compromised victims included high-ranking government officials, telcos, and public service infrastructures. Compromised devices also included OT devices, besides your typical computers, servers, and mobile devices. In typical Prodaft fashion, the company also gained access to one of the group's C&C server backend panels.", "meta": { - "aliases": [ - "Nomadic Octopus" - ], "country": "RU", "refs": [ "https://securelist.com/octopus-infested-seas-of-central-asia/88200/", "https://www.prodaft.com/m/reports/PAPERBUG_TLPWHITE-1.pdf", "https://www.virusbulletin.com/conference/vb2018/abstracts/nomadic-octopus-cyber-espionage-central-asia/" + ], + "synonyms": [ + "Nomadic Octopus" ] }, "uuid": "7b227f41-efea-4dc0-8a2a-148893795ce4", @@ -12675,20 +12675,20 @@ { "description": "TraderTraitor targets blockchain companies through spear-phishing messages. The group sends these messages to employees, particularly those in system administration or software development roles, on various communication platforms, intended to gain access to these start-up and high-tech companies. TraderTraitor may be the work of operators previously responsible for APT38 activity.", "meta": { - "aliases": [ - "Jade Sleet", - "UNC4899" - ], "country": "KP", "refs": [ "https://www.mandiant.com/resources/blog/north-korea-supply-chain", "https://us-cert.cisa.gov/ncas/alerts/aa22-108a", "https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023" + ], + "synonyms": [ + "Jade Sleet", + "UNC4899" ] }, "uuid": "825abfd9-7238-4438-a9e7-c08791f4df4e", "value": "TraderTraitor" } ], - "version": 292 + "version": 293 }