Revert "update threat actors meta"

This commit is contained in:
Rony 2022-04-02 00:55:38 +05:30 committed by GitHub
parent 24f2814c27
commit 50f39edc10
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -67,8 +67,7 @@
"Brown Fox", "Brown Fox",
"GIF89a", "GIF89a",
"ShadyRAT", "ShadyRAT",
"Shanghai Group", "Shanghai Group"
"G0006"
] ]
}, },
"related": [ "related": [
@ -279,10 +278,8 @@
"MSUpdater", "MSUpdater",
"4HCrew", "4HCrew",
"SULPHUR", "SULPHUR",
"Sulphur",
"SearchFire", "SearchFire",
"TG-6952", "TG-6952"
"G0024"
] ]
}, },
"related": [ "related": [
@ -328,9 +325,7 @@
"Buckeye", "Buckeye",
"Boyusec", "Boyusec",
"BORON", "BORON",
"BRONZE MAYFAIR", "BRONZE MAYFAIR"
"Bronze Mayfair",
"G0022"
] ]
}, },
"related": [ "related": [
@ -430,16 +425,12 @@
"BeeBus", "BeeBus",
"Group 22", "Group 22",
"DynCalc", "DynCalc",
"DynCALC",
"Calc Team", "Calc Team",
"DNSCalc", "DNSCalc",
"Crimson Iron", "Crimson Iron",
"APT12", "APT12",
"APT 12", "APT 12",
"BRONZE GLOBE", "BRONZE GLOBE"
"Bronze GLOBE",
"G0005",
"CTG-8223"
] ]
}, },
"related": [ "related": [
@ -474,8 +465,7 @@
], ],
"synonyms": [ "synonyms": [
"APT16", "APT16",
"SVCMONDR", "SVCMONDR"
"G0023"
] ]
}, },
"uuid": "1f73e14f-b882-4032-a565-26dc653b0daf", "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf",
@ -514,17 +504,7 @@
"Hidden Lynx", "Hidden Lynx",
"Tailgater Team", "Tailgater Team",
"Dogfish", "Dogfish",
"BRONZE KEYSTONE", "BRONZE KEYSTONE"
"Bronze KEYSTONE",
"TEMP.Avengers",
"Sneaky Panda",
"Barium",
"G0025",
"G0066",
"TG-8153",
"ATK 2",
"Elderwood",
"Group 72"
] ]
}, },
"related": [ "related": [
@ -584,11 +564,8 @@
"TG-0416", "TG-0416",
"APT 18", "APT 18",
"SCANDIUM", "SCANDIUM",
"Scandium",
"G0026",
"PLA Navy", "PLA Navy",
"APT18", "APT18"
"Wekby"
] ]
}, },
"related": [ "related": [
@ -668,14 +645,10 @@
"LEAD", "LEAD",
"WICKED SPIDER", "WICKED SPIDER",
"WICKED PANDA", "WICKED PANDA",
"Wicked Panda",
"BARIUM", "BARIUM",
"BRONZE ATLAS", "BRONZE ATLAS",
"BRONZE EXPORT", "BRONZE EXPORT",
"Red Kelpie", "Red Kelpie"
"G0044",
"G0096",
"TG-2633"
] ]
}, },
"related": [ "related": [
@ -753,20 +726,12 @@
"Deep Panda", "Deep Panda",
"WebMasters", "WebMasters",
"APT 19", "APT 19",
"APT19",
"KungFu Kittens", "KungFu Kittens",
"Black Vine", "Black Vine",
"Group 13", "Group 13",
"PinkPanther", "PinkPanther",
"Sh3llCr3w", "Sh3llCr3w",
"BRONZE FIRESTONE", "BRONZE FIRESTONE"
"Bronze FIRESTONE",
"Sunshop Group",
"C0d0s0",
"G0009",
"G0073",
"TG-3551",
"Pupa"
] ]
}, },
"related": [ "related": [
@ -1072,13 +1037,7 @@
"ZipToken", "ZipToken",
"Iron Tiger", "Iron Tiger",
"BRONZE UNION", "BRONZE UNION",
"Bronze Union", "Lucky Mouse"
"Lucky Mouse",
"LuckyMouse",
"Emissary Panda",
"G0027",
"ATK 15",
"ATK15"
] ]
}, },
"related": [ "related": [
@ -1144,21 +1103,12 @@
"menuPass Team", "menuPass Team",
"happyyongzi", "happyyongzi",
"POTASSIUM", "POTASSIUM",
"Potassium",
"DustStorm", "DustStorm",
"Red Apollo", "Red Apollo",
"CVNX", "CVNX",
"HOGFISH", "HOGFISH",
"Hogfish",
"Cloud Hopper", "Cloud Hopper",
"BRONZE RIVERSIDE", "BRONZE RIVERSIDE"
"TA 429",
"G0045",
"ITG01",
"Bronze RIVERSIDE",
"CTG-5938",
"ATK 41",
"Cicada"
] ]
}, },
"related": [ "related": [
@ -1182,10 +1132,9 @@
], ],
"synonyms": [ "synonyms": [
"APT 9", "APT 9",
"APT9", "Flowerlady/Flowershow",
"Flowerlady", "Flowerlady",
"Flowershow", "Flowershow"
"Group 27 "
] ]
}, },
"uuid": "401dd2c9-bd4f-4814-bb87-701e38f18d45", "uuid": "401dd2c9-bd4f-4814-bb87-701e38f18d45",
@ -1284,12 +1233,7 @@
"Lurid", "Lurid",
"Social Network Team", "Social Network Team",
"Royal APT", "Royal APT",
"BRONZE PALACE", "BRONZE PALACE"
"Bronze PALACE",
"G0004",
"Bronze DAVENPORT",
"Bronze IDLEWOOD",
"CTG-9246"
] ]
}, },
"uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8", "uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8",
@ -1322,8 +1266,7 @@
"APT14", "APT14",
"APT 14", "APT 14",
"QAZTeam", "QAZTeam",
"ALUMINUM", "ALUMINUM"
"Aluminum"
] ]
}, },
"related": [ "related": [
@ -1620,10 +1563,7 @@
"APT20", "APT20",
"APT 20", "APT 20",
"TH3Bug", "TH3Bug",
"Twivy", "Twivy"
"APT 8",
"APT8",
"G0116"
] ]
}, },
"uuid": "8bcd855f-a4c1-453a-bede-ff36582f4f40", "uuid": "8bcd855f-a4c1-453a-bede-ff36582f4f40",
@ -1705,9 +1645,7 @@
"KeyBoy", "KeyBoy",
"TropicTrooper", "TropicTrooper",
"Tropic Trooper", "Tropic Trooper",
"BRONZE HOBART", "BRONZE HOBART"
"Bronze Hobart",
"G0081"
] ]
}, },
"uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee", "uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee",
@ -2030,16 +1968,9 @@
"APT 33", "APT 33",
"Elfin", "Elfin",
"MAGNALLIUM", "MAGNALLIUM",
"Magnallium",
"Refined Kitten", "Refined Kitten",
"HOLMIUM", "HOLMIUM",
"Holmium", "COBALT TRINITY"
"COBALT TRINITY",
"COBALT Trinity",
"TA 451",
"G0064",
"ATK 35",
"Group 83"
] ]
}, },
"related": [ "related": [
@ -2250,18 +2181,7 @@
"APT35", "APT35",
"APT 35", "APT 35",
"TEMP.Beanie", "TEMP.Beanie",
"Ghambar", "Ghambar"
"TA 453",
"NewsBeef",
"Charming Kitten",
"Phosphorus",
"G0003",
"G0059",
"COBALT illusion",
"Timberworm",
"C-Major",
"Newscaster",
"TunnelVision"
] ]
}, },
"related": [ "related": [
@ -2334,13 +2254,6 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", "uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
@ -2475,7 +2388,6 @@
"Fancy Bear", "Fancy Bear",
"Sednit", "Sednit",
"SNAKEMACKEREL", "SNAKEMACKEREL",
"Snakemackerel",
"TsarTeam", "TsarTeam",
"Tsar Team", "Tsar Team",
"TG-4127", "TG-4127",
@ -2484,19 +2396,10 @@
"TAG_0700", "TAG_0700",
"Swallowtail", "Swallowtail",
"IRON TWILIGHT", "IRON TWILIGHT",
"Iron Twilight",
"Group 74", "Group 74",
"SIG40", "SIG40",
"Grizzly Steppe", "Grizzly Steppe",
"apt_sofacy", "apt_sofacy"
"TA 422",
"Strontium",
"G0007",
"ITG05",
"ATK 5",
"ATK5",
"T-APT-12",
"APT-C-20"
] ]
}, },
"related": [ "related": [
@ -2563,26 +2466,19 @@
"CozyDuke", "CozyDuke",
"EuroAPT", "EuroAPT",
"CozyBear", "CozyBear",
"Cozy Bear",
"CozyCar", "CozyCar",
"Cozer", "Cozer",
"Office Monkeys", "Office Monkeys",
"OfficeMonkeys", "OfficeMonkeys",
"APT29", "APT29",
"Cozy Bear",
"The Dukes", "The Dukes",
"Minidionis", "Minidionis",
"SeaDuke", "SeaDuke",
"Hammer Toss", "Hammer Toss",
"YTTRIUM", "YTTRIUM",
"Yttrium",
"Iron Hemlock", "Iron Hemlock",
"Grizzly Steppe", "Grizzly Steppe"
"TA 421",
"CloudLook",
"G0016",
"ITG11",
"ATK7",
"ATK 7"
] ]
}, },
"related": [ "related": [
@ -2918,19 +2814,7 @@
"synonyms": [ "synonyms": [
"CARBON SPIDER", "CARBON SPIDER",
"GOLD NIAGARA", "GOLD NIAGARA",
"Calcium", "Calcium"
"Carbanak",
"FIN 7",
"ELBRUS",
"G0046",
"ITG14",
"Magecart Group 7",
"Gold NIAGARA",
"Anunak",
"ATK 32",
"APT-C-11",
"Navigator",
"TelePort Crew"
] ]
}, },
"related": [ "related": [
@ -3043,10 +2927,7 @@
"https://attack.mitre.org/groups/G0085/" "https://attack.mitre.org/groups/G0085/"
], ],
"synonyms": [ "synonyms": [
"FIN4", "FIN4"
"FIN 4",
"Wolf Spider",
"G0085"
] ]
}, },
"uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57", "uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57",
@ -3222,19 +3103,7 @@
"Nickel Academy", "Nickel Academy",
"APT-C-26", "APT-C-26",
"NICKEL GLADSTONE", "NICKEL GLADSTONE",
"COVELLITE", "COVELLITE"
"G0082",
"G0032",
"ITG03",
"Hive0080",
"CTG-6459",
"Lazarus",
"ATK 117",
"T-APT-15",
"Klipodenc",
"SectorA01",
"BeagleBoyz",
"NESTEGG"
] ]
}, },
"related": [ "related": [
@ -3412,11 +3281,8 @@
"APT36", "APT36",
"APT 36", "APT 36",
"TMP.Lapis", "TMP.Lapis",
"TEMP.Lapis",
"Green Havildar", "Green Havildar",
"COPPER FIELDSTONE", "COPPER FIELDSTONE"
"G0134",
"APT-C-56"
] ]
}, },
"related": [ "related": [
@ -3514,14 +3380,7 @@
"Sarit", "Sarit",
"Quilted Tiger", "Quilted Tiger",
"APT-C-09", "APT-C-09",
"ZINC EMERSON", "ZINC EMERSON"
"Confucius",
"ATK 11",
"TG-4410",
"G0040",
"G0089",
"Viceroy Tiger",
"Dropping Elephant"
] ]
}, },
"related": [ "related": [
@ -3717,13 +3576,7 @@
"https://www.cfr.org/interactive/cyber-operations/apt-30" "https://www.cfr.org/interactive/cyber-operations/apt-30"
], ],
"synonyms": [ "synonyms": [
"APT30", "APT30"
"Naikon",
"Override Panda",
"G0019",
"G0013",
"BRONZE STERLING",
"CTG-5326"
] ]
}, },
"related": [ "related": [
@ -3831,12 +3684,7 @@
"ITG08", "ITG08",
"MageCart Group 6", "MageCart Group 6",
"White Giant", "White Giant",
"GOLD FRANKLIN", "GOLD FRANKLIN"
"FIN 6",
"G0037",
"Gold FRANKLIN",
"ATK 88",
"APT-C-01"
] ]
}, },
"related": [ "related": [
@ -3936,13 +3784,7 @@
"Helix Kitten", "Helix Kitten",
"APT 34", "APT 34",
"APT34", "APT34",
"IRN2", "IRN2"
"TA 452",
"G0049",
"G0116",
"ITG13",
"ATK 40",
"Chrysene"
] ]
}, },
"related": [ "related": [
@ -4608,11 +4450,7 @@
"Ocean Buffalo", "Ocean Buffalo",
"POND LOACH", "POND LOACH",
"TIN WOODLAWN", "TIN WOODLAWN",
"Tin Woodlawn", "BISMUTH"
"Woodlawn",
"BISMUTH",
"G0050",
"SectorF01"
] ]
}, },
"related": [ "related": [
@ -4769,11 +4607,6 @@
"https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf", "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf",
"https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html",
"https://attack.mitre.org/groups/G0061" "https://attack.mitre.org/groups/G0061"
],
"synonyms": [
"FIN 8",
"G0061",
"ATK113"
] ]
}, },
"related": [ "related": [
@ -4869,10 +4702,6 @@
"refs": [ "refs": [
"https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts", "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts",
"https://attack.mitre.org/groups/G0062/" "https://attack.mitre.org/groups/G0062/"
],
"synonyms": [
"TA 459",
"G0062"
] ]
}, },
"related": [ "related": [
@ -4924,9 +4753,7 @@
"synonyms": [ "synonyms": [
"CactusPete", "CactusPete",
"Karma Panda", "Karma Panda",
"BRONZE HUNTLEY", "BRONZE HUNTLEY"
"Bronze HUNTLEY",
"G0131"
] ]
}, },
"uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26", "uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26",
@ -4944,7 +4771,6 @@
{ {
"description": "We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies. More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors. Several times, APT5 has targeted organizations and personnel based in Southeast Asia. APT5 has been active since at least 2007. It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. APT5 has targeted or breached organizations across multiple industries, but its focus appears to be on telecommunications and technology companies, especially information about satellite communications. \nAPT5 targeted the network of an electronics firm that sells products for both industrial and military applications. The group subsequently stole communications related to the firms business relationship with a national military, including inventories and memoranda about specific products they provided. \nIn one case in late 2014, APT5 breached the network of an international telecommunications company. The group used malware with keylogging capabilities to monitor the computer of an executive who manages the companys relationships with other telecommunications companies", "description": "We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies. More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors. Several times, APT5 has targeted organizations and personnel based in Southeast Asia. APT5 has been active since at least 2007. It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. APT5 has targeted or breached organizations across multiple industries, but its focus appears to be on telecommunications and technology companies, especially information about satellite communications. \nAPT5 targeted the network of an electronics firm that sells products for both industrial and military applications. The group subsequently stole communications related to the firms business relationship with a national military, including inventories and memoranda about specific products they provided. \nIn one case in late 2014, APT5 breached the network of an international telecommunications company. The group used malware with keylogging capabilities to monitor the computer of an executive who manages the companys relationships with other telecommunications companies",
"meta": { "meta": {
"country": "CN",
"refs": [ "refs": [
"https://www.fireeye.com/current-threats/apt-groups.html", "https://www.fireeye.com/current-threats/apt-groups.html",
"https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf", "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf",
@ -4952,19 +4778,7 @@
], ],
"synonyms": [ "synonyms": [
"MANGANESE", "MANGANESE",
"BRONZE FLEETWOOD", "BRONZE FLEETWOOD"
"APT 5",
"UNC2630",
"Poisoned Flight",
"Keyhole Panda",
"Pitty Panda",
"Manganese",
"G0011",
"Bronze FLEETWOOD",
"TG-2754",
"PittyTiger",
"DPD",
"TEMP.Bottle"
] ]
}, },
"uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795", "uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795",
@ -4980,11 +4794,7 @@
], ],
"synonyms": [ "synonyms": [
"APT22", "APT22",
"BRONZE OLIVE", "BRONZE OLIVE"
"Bronze Olive",
"Group 46",
"Suckfly",
"G0039"
] ]
}, },
"uuid": "7a2457d6-148a-4ce1-9e79-aa43352ee842", "uuid": "7a2457d6-148a-4ce1-9e79-aa43352ee842",
@ -5049,14 +4859,7 @@
"Hippo Team", "Hippo Team",
"JerseyMikes", "JerseyMikes",
"Turbine Panda", "Turbine Panda",
"BRONZE EXPRESS", "BRONZE EXPRESS"
"Bronze Express",
"KungFu Kittens",
"WebMasters",
"Black Vine",
"Group 13",
"Shell Crew",
"PinkPanther"
] ]
}, },
"related": [ "related": [
@ -5306,11 +5109,7 @@
"APT4", "APT4",
"APT 4", "APT 4",
"BRONZE EDISON", "BRONZE EDISON",
"Bronze EDISON", "Sykipot"
"Sykipot",
"Samurai Panda",
"TG-0623",
"Wisp Team"
] ]
}, },
"uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b", "uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b",
@ -5912,15 +5711,7 @@
"Red Eyes", "Red Eyes",
"Ricochet Chollima", "Ricochet Chollima",
"ScarCruft", "ScarCruft",
"Venus 121", "Venus 121"
"TEMP.Reaper",
"Thallium",
"G0067",
"ITG10",
"ATK 4",
"Hermit",
"Geumseong121",
"Hidden Cobra"
] ]
}, },
"related": [ "related": [
@ -6006,16 +5797,8 @@
"APT 40", "APT 40",
"APT40", "APT40",
"BRONZE MOHAWK", "BRONZE MOHAWK",
"Bronze Mohawk",
"GADOLINIUM", "GADOLINIUM",
"Gadolinium", "Kryptonite Panda"
"Kryptonite Panda",
"G0065",
"ITG09",
"ATK29",
"Flaccid Rose",
"Nanhaishu",
"Mudcarp"
] ]
}, },
"related": [ "related": [
@ -6043,15 +5826,6 @@
"Newscaster Team" "Newscaster Team"
] ]
}, },
"related": [
{
"dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", "uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e",
"value": "APT35" "value": "APT35"
}, },
@ -6216,7 +5990,6 @@
"Private sector" "Private sector"
], ],
"cfr-type-of-incident": "Espionage", "cfr-type-of-incident": "Espionage",
"country": "RU",
"mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details", "mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details",
"refs": [ "refs": [
"https://dragos.com/adversaries.html", "https://dragos.com/adversaries.html",
@ -6227,10 +6000,7 @@
"synonyms": [ "synonyms": [
"Dragonfly 2.0", "Dragonfly 2.0",
"Dragonfly2", "Dragonfly2",
"Berserker Bear", "Berserker Bear"
"Berserk Bear",
"G0074",
"Dymalloy"
], ],
"victimology": "Turkey, Europe, US" "victimology": "Turkey, Europe, US"
}, },
@ -6651,12 +6421,6 @@
"refs": [ "refs": [
"https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/",
"https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/"
],
"synonyms": [
"G0112",
"Urpage",
"EHDevel",
"WindShift"
] ]
}, },
"uuid": "dc3edacc-bb24-11e8-81fb-8c16458922a7", "uuid": "dc3edacc-bb24-11e8-81fb-8c16458922a7",
@ -6919,11 +6683,6 @@
"country": "RU", "country": "RU",
"refs": [ "refs": [
"https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/"
],
"synonyms": [
"Indrik Spider",
"G0119",
"Gold DRAKE"
] ]
}, },
"uuid": "658314bc-3bb8-48d2-913a-c528607b75c8", "uuid": "658314bc-3bb8-48d2-913a-c528607b75c8",
@ -7062,15 +6821,7 @@
"GRACEFUL SPIDER", "GRACEFUL SPIDER",
"GOLD TAHOE", "GOLD TAHOE",
"Dudear", "Dudear",
"TA 505", "TEMP.Warlock"
"Graceful Spider",
"TEMP.Warlock",
"Chimborazo",
"G0092",
"Hive0065",
"Gold TAHOE",
"ATK 103",
"SectorJ04"
] ]
}, },
"uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f",
@ -7129,12 +6880,7 @@
], ],
"synonyms": [ "synonyms": [
"TA542", "TA542",
"GOLD CRESTWOOD", "GOLD CRESTWOOD"
"Mummy Spider",
"TA 542",
"Gold CRESTWOOD",
"ATK104",
"Mealybug"
] ]
}, },
"uuid": "c93281be-f6cd-4cd0-a5a3-defde9d77d8b", "uuid": "c93281be-f6cd-4cd0-a5a3-defde9d77d8b",
@ -7201,11 +6947,7 @@
"synonyms": [ "synonyms": [
"Chafer", "Chafer",
"REMIX KITTEN", "REMIX KITTEN",
"Remix Kitten", "COBALT HICKMAN"
"COBALT HICKMAN",
"TA 454",
"G0087",
"ITG07"
] ]
}, },
"uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b", "uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b",
@ -7468,11 +7210,7 @@
"synonyms": [ "synonyms": [
"COBALT DICKENS", "COBALT DICKENS",
"Mabna Institute", "Mabna Institute",
"TA407", "TA407"
"TA 407",
"Yellow Nabu",
"SilentLibrarian",
"Silent Librarian"
] ]
}, },
"uuid": "5059b44d-2753-4977-b987-4922f09afe6b", "uuid": "5059b44d-2753-4977-b987-4922f09afe6b",
@ -7506,13 +7244,9 @@
"https://twitter.com/bkMSFT/status/1417823714922610689" "https://twitter.com/bkMSFT/status/1417823714922610689"
], ],
"synonyms": [ "synonyms": [
"APT 31",
"ZIRCONIUM", "ZIRCONIUM",
"Zirconium",
"JUDGMENT PANDA", "JUDGMENT PANDA",
"Judgment Panda", "BRONZE VINEWOOD"
"BRONZE VINEWOOD",
"G0128"
] ]
}, },
"uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c", "uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c",
@ -7574,10 +7308,6 @@
"refs": [ "refs": [
"https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?", "https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?",
"https://attack.mitre.org/groups/G0053/" "https://attack.mitre.org/groups/G0053/"
],
"synonyms": [
"FIN 5",
"G0053"
] ]
}, },
"uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70", "uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70",
@ -7600,10 +7330,6 @@
"refs": [ "refs": [
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf",
"https://attack.mitre.org/groups/G0051/" "https://attack.mitre.org/groups/G0051/"
],
"synonyms": [
"FIN 10",
"G0051"
] ]
}, },
"uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79", "uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79",
@ -7883,9 +7609,7 @@
], ],
"synonyms": [ "synonyms": [
"Temp.Hex", "Temp.Hex",
"Vicious Panda", "Vicious Panda"
"TA 428",
"Bronze DUDLEY"
] ]
}, },
"uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d", "uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d",
@ -8005,11 +7729,6 @@
"https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals", "https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals",
"https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks", "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks",
"https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new" "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new"
],
"synonyms": [
"LookBack",
"TA 410",
"TALONITE"
] ]
}, },
"uuid": "5cd95926-0098-435e-892d-9c9f61763ad7", "uuid": "5cd95926-0098-435e-892d-9c9f61763ad7",
@ -8053,7 +7772,6 @@
{ {
"description": "For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, India, Kazakhstan, Russia, Thailand, Turkey. Our data suggest that the group has Asian roots. Description translated from Russian.", "description": "For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, India, Kazakhstan, Russia, Thailand, Turkey. Our data suggest that the group has Asian roots. Description translated from Russian.",
"meta": { "meta": {
"country": "CN",
"refs": [ "refs": [
"https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf" "https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf"
] ]
@ -8314,10 +8032,7 @@
], ],
"synonyms": [ "synonyms": [
"GOLD ESSEX", "GOLD ESSEX",
"TA544", "TA544"
"TA 544",
"Narwhal Spider",
"Gold ESSEX"
] ]
}, },
"uuid": "fda9cdea-0017-495e-879d-0f348db2aa07", "uuid": "fda9cdea-0017-495e-879d-0f348db2aa07",
@ -8605,9 +8320,7 @@
"synonyms": [ "synonyms": [
"TEMP.Warlock", "TEMP.Warlock",
"UNC902", "UNC902",
"GRACEFUL SPIDER", "GRACEFUL SPIDER"
"Graceful Spider",
"Gold Evergreen"
] ]
}, },
"uuid": "c01aadc6-1087-4e8e-8d5c-a27eba409fe3", "uuid": "c01aadc6-1087-4e8e-8d5c-a27eba409fe3",
@ -8762,9 +8475,7 @@
], ],
"synonyms": [ "synonyms": [
"UNC1151", "UNC1151",
"TA 445", "TA445"
"TA445",
"UAC-0051"
] ]
}, },
"uuid": "749aaa11-f0fd-416b-bf6c-112f9b5930a5", "uuid": "749aaa11-f0fd-416b-bf6c-112f9b5930a5",
@ -8981,10 +8692,7 @@
], ],
"synonyms": [ "synonyms": [
"Shakthak", "Shakthak",
"TA551", "TA551"
"TA 551",
"Lunar Spider",
"G0127"
] ]
}, },
"uuid": "36e8c848-4d20-47ea-9fc2-31aa17bf82d1", "uuid": "36e8c848-4d20-47ea-9fc2-31aa17bf82d1",
@ -9274,11 +8982,6 @@
"meta": { "meta": {
"refs": [ "refs": [
"https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf" "https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf"
],
"synonyms": [
"Scully Spider",
"TA 547",
"TH-163"
] ]
}, },
"uuid": "29fbc8d4-1e6e-4edc-9887-bdf47f36e4c1", "uuid": "29fbc8d4-1e6e-4edc-9887-bdf47f36e4c1",
@ -9291,8 +8994,7 @@
"https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf" "https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf"
], ],
"synonyms": [ "synonyms": [
"TH-163", "TH-163"
"TA 554"
] ]
}, },
"uuid": "36f1a1b8-e03a-484f-95a3-005345679cbe", "uuid": "36f1a1b8-e03a-484f-95a3-005345679cbe",
@ -9335,33 +9037,6 @@
"uuid": "d45dd940-b38d-4b2c-9f2f-3e4a0eac841c", "uuid": "d45dd940-b38d-4b2c-9f2f-3e4a0eac841c",
"value": "MosesStaff" "value": "MosesStaff"
}, },
{
"description": "The groups existence came to light during Contexts investigation of a number of attacks against multinational enterprises that compromise smaller engineering services and consultancies working in their supply chains.",
"meta": {
"country": "CN",
"refs": [
"https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers"
]
},
"uuid": "8045fc09-13d6-4f90-b239-ed5060b9297b",
"value": "Avivore"
},
{
"description": "The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released in 2014 were based on the AndroRAT framework. Over time, they switched to a custom version that has been known as BitterRAT ever since.",
"meta": {
"country": "IN",
"refs": [
"https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf"
],
"synonyms": [
"BitterAPT",
"T-APT-17",
"APT-C-08"
]
},
"uuid": "1e9bd6fe-e009-41ce-8e92-ad78c73ee772",
"value": "Bitter"
},
{ {
"description": "An actor group conducting large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements.", "description": "An actor group conducting large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements.",
"meta": { "meta": {
@ -9396,5 +9071,5 @@
"value": "Scarab" "value": "Scarab"
} }
], ],
"version": 216 "version": 215
} }