From d05b29c1af47824dc2ef14e5cb4838725fef190a Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 16 Aug 2022 17:15:30 -0700 Subject: [PATCH 1/2] [threat-actors] Remove duplicate APT33 --- clusters/threat-actor.json | 62 +++++++++----------------------------- 1 file changed, 14 insertions(+), 48 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fd0711b..28c65f7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1947,7 +1947,19 @@ "description": "Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.", "meta": { "attribution-confidence": "50", + "capabilities": "STONEDRILL wiper, variants of TURNEDUP malware", + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-suspected-victims": [ + "United States", + "Saudi Arabia", + "South Korea" + ], + "cfr-target-category": [ + "Private sector" + ], + "cfr-type-of-incident": "Espionage", "country": "IR", + "mode-of-operation": "IT network limited, information gathering against industrial orgs", "refs": [ "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/", @@ -1966,7 +1978,8 @@ "COBALT TRINITY", "G0064", "ATK35" - ] + ], + "victimology": "Petrochemical, Aerospace, Saudi Arabia" }, "related": [ { @@ -6125,53 +6138,6 @@ "uuid": "a08ab076-33c1-4350-b021-650c34277f2d", "value": "DYMALLOY" }, - { - "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", - "meta": { - "attribution-confidence": "50", - "capabilities": "STONEDRILL wiper, variants of TURNEDUP malware", - "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", - "cfr-suspected-victims": [ - "United States", - "Saudi Arabia", - "South Korea" - ], - "cfr-target-category": [ - "Private sector" - ], - "cfr-type-of-incident": "Espionage", - "country": "IR", - "mode-of-operation": "IT network limited, information gathering against industrial orgs", - "refs": [ - "https://dragos.com/adversaries.html", - "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", - "https://www.cfr.org/interactive/cyber-operations/apt-33" - ], - "since": "2016", - "synonyms": [ - "APT33" - ], - "victimology": "Petrochemical, Aerospace, Saudi Arabia" - }, - "related": [ - { - "dest-uuid": "fbd29c89-18ba-4c2d-b792-51c0adee049f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], - "uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2", - "value": "MAGNALLIUM" - }, { "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", "meta": { From 352998a84d01bda26e42f18545b0bebeabd66d5e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 17 Aug 2022 07:40:23 +0200 Subject: [PATCH 2/2] fix: [threat-actor] add missing refs for APT33 including CFR link --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 28c65f7..fb2c999 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1967,7 +1967,10 @@ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://attack.mitre.org/groups/G0064/", - "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/" + "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", + "https://www.cfr.org/interactive/cyber-operations/apt-33", + "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", + "https://dragos.com/adversaries.html" ], "synonyms": [ "APT 33", @@ -10007,5 +10010,5 @@ "value": "SLIME29" } ], - "version": 239 + "version": 240 }