From b8d4ffdbdeef905053f33209394195b96bb6d9ac Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 29 Jun 2022 20:13:33 +0200 Subject: [PATCH 1/5] Merge Cutting Kitten and Cleaver --- clusters/threat-actor.json | 103 +++++++------------------------------ 1 file changed, 20 insertions(+), 83 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a59224d..9613598 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1777,85 +1777,6 @@ "uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "value": "Flying Kitten" }, - { - "description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889. One of the threat actors responsible for the denial of service attacks against U.S in 2012–2013. Three individuals associated with the group—believed to be have been working on behalf of Iran’s Islamic Revolutionary Guard Corps—were indicted by the Justice Department in 2016. ", - "meta": { - "attribution-confidence": "50", - "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", - "cfr-suspected-victims": [ - "Bank of America", - "US Bancorp", - "Fifth Third Bank", - "Citigroup", - "PNC", - "BB&T", - "Wells Fargo", - "Capital One", - "HSBC" - ], - "cfr-target-category": [ - "Private sector" - ], - "cfr-type-of-incident": "Denial of service", - "country": "IR", - "refs": [ - "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", - "https://www.cfr.org/interactive/cyber-operations/itsecteam" - ], - "synonyms": [ - "ITSecTeam", - "Threat Group 2889", - "TG-2889", - "Ghambar" - ] - }, - "related": [ - { - "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], - "uuid": "11e17436-6ede-4733-8547-4ce0254ea19e", - "value": "Cutting Kitten" - }, { "description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors.", "meta": { @@ -2177,13 +2098,25 @@ "India", "Kuwait", "Qatar", - "Turkey" + "Turkey", + "Bank of America", + "US Bancorp", + "Fifth Third Bank", + "Citigroup", + "PNC", + "BB&T", + "Wells Fargo", + "Capital One", + "HSBC" ], "cfr-target-category": [ "Private sector", "Government" ], - "cfr-type-of-incident": "Espionage", + "cfr-type-of-incident": [ + "Espionage", + "Denial of service" + ], "country": "IR", "refs": [ "https://www.cfr.org/interactive/cyber-operations/magic-hound", @@ -2198,7 +2131,9 @@ "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", "https://attack.mitre.org/groups/G0059/", - "https://attack.mitre.org/groups/G0003/" + "https://attack.mitre.org/groups/G0003/", + "https://www.cfr.org/interactive/cyber-operations/itsecteam", + "https://xorl.wordpress.com/2021/05/06/iran-cyber-operations-groups/" ], "synonyms": [ "Operation Cleaver", @@ -2206,6 +2141,7 @@ "Alibaba", "2889", "TG-2889", + "Threat Group 2889", "Cobalt Gypsy", "Rocket_Kitten", "Cutting Kitten", @@ -2216,7 +2152,8 @@ "TEMP.Beanie", "Ghambar", "G0059", - "G0003" + "G0003", + "ITSecTeam" ] }, "related": [ From d63c990dad053c14fc6277d50a7542f74fd896a5 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Thu, 30 Jun 2022 14:30:31 +0200 Subject: [PATCH 2/5] [threat-actors] Separate ITSecTeam from Cleaver --- clusters/threat-actor.json | 62 +++++++++++++++++++++++++++----------- 1 file changed, 44 insertions(+), 18 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9613598..0b69ce8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2098,25 +2098,13 @@ "India", "Kuwait", "Qatar", - "Turkey", - "Bank of America", - "US Bancorp", - "Fifth Third Bank", - "Citigroup", - "PNC", - "BB&T", - "Wells Fargo", - "Capital One", - "HSBC" + "Turkey" ], "cfr-target-category": [ "Private sector", "Government" ], - "cfr-type-of-incident": [ - "Espionage", - "Denial of service" - ], + "cfr-type-of-incident": "Espionage", "country": "IR", "refs": [ "https://www.cfr.org/interactive/cyber-operations/magic-hound", @@ -2132,7 +2120,6 @@ "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", "https://attack.mitre.org/groups/G0059/", "https://attack.mitre.org/groups/G0003/", - "https://www.cfr.org/interactive/cyber-operations/itsecteam", "https://xorl.wordpress.com/2021/05/06/iran-cyber-operations-groups/" ], "synonyms": [ @@ -2152,8 +2139,7 @@ "TEMP.Beanie", "Ghambar", "G0059", - "G0003", - "ITSecTeam" + "G0003" ] }, "related": [ @@ -9476,7 +9462,47 @@ }, "uuid": "091a0b69-74de-44b6-bb12-16b7a8fd078b", "value": "ToddyCat" + }, + { + "description": "One of the threat actors responsible for the denial of service attacks against U.S in 2012–2013. Three individuals associated with the group—believed to be have been working on behalf of Iran’s Islamic Revolutionary Guard Corps—were indicted by the Justice Department in 2016.", + "meta": { + "attribution-confidence": "50", + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-suspected-victims": [ + "United States", + "Bank of America", + "US Bancorp", + "Fifth Third Bank", + "Citigroup", + "PNC", + "BB&T", + "Wells Fargo", + "Capital One", + "HSBC", + "AT&T", + "NYSE" + ], + "cfr-type-of-incident": [ + "Denial of service" + ], + "country": "IR", + "refs": [ + "https://www.cfr.org/interactive/cyber-operations/itsecteam", + "https://www.justice.gov/usao-sdny/file/835061/download" + ] + }, + "related": [ + { + "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "linked-to" + } + ], + "uuid": "7a3f505b-10e9-4177-a96f-d476b55fd3dd", + "value": "ITSecTeam" } ], - "version": 229 + "version": 230 } From 693eed8d78ec1541ebbaeb995afd89f1559135c1 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Mon, 4 Jul 2022 14:03:36 +0200 Subject: [PATCH 3/5] [threat actor] Break Cleaver aliases into respective entries --- clusters/threat-actor.json | 51 +++++++++++++++++++------------------- 1 file changed, 26 insertions(+), 25 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0b69ce8..dfe3786 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2107,38 +2107,30 @@ "cfr-type-of-incident": "Espionage", "country": "IR", "refs": [ - "https://www.cfr.org/interactive/cyber-operations/magic-hound", "https://www.secureworks.com/research/the-curious-case-of-mia-ash", - "https://www.cfr.org/interactive/cyber-operations/operation-cleaver", - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", + "\"https://www.cfr.org/interactive/cyber-operations/operation-cleaver", "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing", - "https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", - "https://attack.mitre.org/groups/G0059/", "https://attack.mitre.org/groups/G0003/", - "https://xorl.wordpress.com/2021/05/06/iran-cyber-operations-groups/" + "https://xorl.wordpress.com/2021/05/06/iran-cyber-operations-groups/", + "https://www.secureworks.com/research/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles", + "https://know.netenrich.com/threatintel/threat_actor/Cutting%20Kitten", + "https://www.cfr.org/cyber-operations/operation-cleaver", + "https://securityaffairs.co/wordpress/33682/cyber-crime/ali-baba-apt-middle-east.html", + "https://scadahacker.com/library/Documents/Cyber_Events/Cylance%20-%20Operation%20Cleaver%20Report.pdf" ], "synonyms": [ "Operation Cleaver", + "Op Cleaver", "Tarh Andishan", "Alibaba", - "2889", "TG-2889", - "Threat Group 2889", "Cobalt Gypsy", - "Rocket_Kitten", "Cutting Kitten", - "Group 41", - "Magic Hound", - "APT35", - "APT 35", - "TEMP.Beanie", - "Ghambar", - "G0059", "G0003" ] }, @@ -2185,13 +2177,6 @@ ], "type": "similar" }, - { - "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "tags": [ @@ -5867,13 +5852,29 @@ "attribution-confidence": "50", "country": "IR", "refs": [ - "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" + "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", + "https://attack.mitre.org/groups/G0059/", + "https://www.cfr.org/interactive/cyber-operations/magic-hound", + "https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html", + "https://www.cfr.org/cyber-operations/apt-35" ], "synonyms": [ "APT 35", - "Newscaster Team" + "Newscaster Team", + "Magic Hound", + "G0059" ] }, + "related": [ + { + "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", "value": "APT35" }, From acc6ada575e59774335ee6977866760ed5ace0c5 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 26 Jul 2022 23:23:57 -0700 Subject: [PATCH 4/5] r0ny123.review: Use Cutting Kitten as main value for ITSecTeam --- clusters/threat-actor.json | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2926e03..bf0c65b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2135,7 +2135,6 @@ "Alibaba", "TG-2889", "Cobalt Gypsy", - "Cutting Kitten", "G0003" ] }, @@ -9582,19 +9581,13 @@ "refs": [ "https://www.cfr.org/interactive/cyber-operations/itsecteam", "https://www.justice.gov/usao-sdny/file/835061/download" + ], + "synonyms": [ + "ITsecTeam" ] }, - "related": [ - { - "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "linked-to" - } - ], "uuid": "7a3f505b-10e9-4177-a96f-d476b55fd3dd", - "value": "ITSecTeam" + "value": "CUTTING KITTEN" }, { "description": "Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM.", From 51aacd6b03cb5cd6854d433480e559772a20ded5 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 26 Jul 2022 23:53:22 -0700 Subject: [PATCH 5/5] Reduce diff with old version --- clusters/threat-actor.json | 68 +++++++++++++++++++------------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index bf0c65b..89c0611 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1782,6 +1782,40 @@ "uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "value": "Flying Kitten" }, + { + "description": "One of the threat actors responsible for the denial of service attacks against U.S in 2012–2013. Three individuals associated with the group—believed to be have been working on behalf of Iran’s Islamic Revolutionary Guard Corps—were indicted by the Justice Department in 2016.", + "meta": { + "attribution-confidence": "50", + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-suspected-victims": [ + "United States", + "Bank of America", + "US Bancorp", + "Fifth Third Bank", + "Citigroup", + "PNC", + "BB&T", + "Wells Fargo", + "Capital One", + "HSBC", + "AT&T", + "NYSE" + ], + "cfr-type-of-incident": [ + "Denial of service" + ], + "country": "IR", + "refs": [ + "https://www.cfr.org/interactive/cyber-operations/itsecteam", + "https://www.justice.gov/usao-sdny/file/835061/download" + ], + "synonyms": [ + "ITsecTeam" + ] + }, + "uuid": "11e17436-6ede-4733-8547-4ce0254ea19e", + "value": "Cutting Kitten" + }, { "description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors.", "meta": { @@ -9555,40 +9589,6 @@ "uuid": "091a0b69-74de-44b6-bb12-16b7a8fd078b", "value": "ToddyCat" }, - { - "description": "One of the threat actors responsible for the denial of service attacks against U.S in 2012–2013. Three individuals associated with the group—believed to be have been working on behalf of Iran’s Islamic Revolutionary Guard Corps—were indicted by the Justice Department in 2016.", - "meta": { - "attribution-confidence": "50", - "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", - "cfr-suspected-victims": [ - "United States", - "Bank of America", - "US Bancorp", - "Fifth Third Bank", - "Citigroup", - "PNC", - "BB&T", - "Wells Fargo", - "Capital One", - "HSBC", - "AT&T", - "NYSE" - ], - "cfr-type-of-incident": [ - "Denial of service" - ], - "country": "IR", - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/itsecteam", - "https://www.justice.gov/usao-sdny/file/835061/download" - ], - "synonyms": [ - "ITsecTeam" - ] - }, - "uuid": "7a3f505b-10e9-4177-a96f-d476b55fd3dd", - "value": "CUTTING KITTEN" - }, { "description": "Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM.", "meta": {