diff --git a/README.md b/README.md index f528ac8..f637f33 100644 --- a/README.md +++ b/README.md @@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *782* elements +Category: *actor* - source: *MISP Project* - total: *781* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0dc399b..e831549 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4859,8 +4859,27 @@ "https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations", "https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign", "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", - "https://www.darkreading.com/attacks-breaches/russian-apt-bluecharlie-swaps-infrastructure-to-evade-detection", - "https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/" + "https://www.recordedfuture.com/research/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023", + "https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-1205.pdf", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html", + "https://www.ncsc.gov.uk/files/Advisory-Russian-FSB-cyber-actor-star-blizzard-continues-worldwide-spear-sphishing-campaigns.pdf", + "https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections", + "https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics", + "https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware", + "https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/", + "https://www.gov.uk/government/news/uk-exposes-attempted-russian-cyber-interference-in-politics-and-democratic-processes", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html", + "https://citizenlab.ca/2024/10/disrupting-coldriver/", + "https://blogs.microsoft.com/on-the-issues/2024/10/03/protecting-democratic-institutions-from-cyber-threats/", + "https://www.justice.gov/opa/pr/justice-department-disrupts-russian-intelligence-spear-phishing-efforts", + "https://www.justice.gov/opa/pr/two-russian-nationals-working-russias-federal-security-service-charged-global-computer", + "https://www.justice.gov/opa/media/1327601/dl?inline", + "https://www.noticeofpleadings.com/starblizzard/", + "https://edeca.net/post/2024-06-26-an-interesting-callisto-yara-rule", + "https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support", + "https://blog.sekoia.io/one-year-after-the-cyber-implications-of-the-russo-ukrainian-war/", + "https://blog.sekoia.io/calisto-doxxing-sekoia-io-findings-concurs-to-reuters-investigation-on-fsb-related-andrey-korinets/" ], "synonyms": [ "COLDRIVER", @@ -4868,24 +4887,19 @@ "TA446", "GOSSAMER BEAR", "BlueCharlie", - "Star Blizzard" + "Star Blizzard", + "TAG-53", + "IRON FRONTIER", + "UNC4057", + "Blue Callisto" ], "targeted-sector": [ - "Government, Administration", + "Government Administration", "Military", "Think Tanks", "Journalist" ] }, - "related": [ - { - "dest-uuid": "06630ccd-98ed-5aec-8083-e04c894bd2d6", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f", "value": "Callisto" }, @@ -11665,27 +11679,6 @@ "uuid": "171d0590-be92-443f-addb-af5dc2a8034d", "value": "Evasive Panda" }, - { - "description": "A Russia-linked threat actor tracked as TAG-53 is running phishing campaigns impersonating various defense, aerospace, and logistic companies, according to The Record by Recorded Future. Recorded Future’s Insikt Group identified overlaps with a threat actor tracked by other companies as Callisto Group, COLDRIVER, and SEABORGIUM.", - "meta": { - "refs": [ - "https://blog.knowbe4.com/russian-threat-actor-impersonates-aerospace-and-defense-companies", - "https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations?utm_campaign=PostBeyond&utm_source=Twitter&utm_medium=359877&utm_term=Exposing+TAG-53%E2%80%99s+Credential+Harvesting+Infrastructure+Used+for+Russia-Aligned+Espionage+Operations", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-1205.pdf" - ] - }, - "related": [ - { - "dest-uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "overlaps" - } - ], - "uuid": "e5865ca1-ec95-43e2-954a-d0f3507a9747", - "value": "TAG-53" - }, { "description": "This group of cybercriminals is named Malteiroby SCILabs, they operate and distribute the URSA/Mispadu banking trojan.", "meta": {