Merge pull request #727 from Mathieu4141/threat-actors/merge-cutting-kitten-cleaver

Fix Cleaver aliases
This commit is contained in:
Alexandre Dulaunoy 2022-07-27 23:17:42 +02:00 committed by GitHub
commit 6427746ad8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -1783,11 +1783,12 @@
"value": "Flying Kitten" "value": "Flying Kitten"
}, },
{ {
"description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889. One of the threat actors responsible for the denial of service attacks against U.S in 20122013. Three individuals associated with the group—believed to be have been working on behalf of Irans Islamic Revolutionary Guard Corps—were indicted by the Justice Department in 2016. ", "description": "One of the threat actors responsible for the denial of service attacks against U.S in 20122013. Three individuals associated with the group—believed to be have been working on behalf of Irans Islamic Revolutionary Guard Corps—were indicted by the Justice Department in 2016.",
"meta": { "meta": {
"attribution-confidence": "50", "attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-suspected-victims": [ "cfr-suspected-victims": [
"United States",
"Bank of America", "Bank of America",
"US Bancorp", "US Bancorp",
"Fifth Third Bank", "Fifth Third Bank",
@ -1796,68 +1797,22 @@
"BB&T", "BB&T",
"Wells Fargo", "Wells Fargo",
"Capital One", "Capital One",
"HSBC" "HSBC",
"AT&T",
"NYSE"
], ],
"cfr-target-category": [ "cfr-type-of-incident": [
"Private sector" "Denial of service"
], ],
"cfr-type-of-incident": "Denial of service",
"country": "IR", "country": "IR",
"refs": [ "refs": [
"http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", "https://www.cfr.org/interactive/cyber-operations/itsecteam",
"https://www.cfr.org/interactive/cyber-operations/itsecteam" "https://www.justice.gov/usao-sdny/file/835061/download"
], ],
"synonyms": [ "synonyms": [
"ITSecTeam", "ITsecTeam"
"Threat Group 2889",
"TG-2889",
"Ghambar"
] ]
}, },
"related": [
{
"dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "11e17436-6ede-4733-8547-4ce0254ea19e", "uuid": "11e17436-6ede-4733-8547-4ce0254ea19e",
"value": "Cutting Kitten" "value": "Cutting Kitten"
}, },
@ -2191,36 +2146,29 @@
"cfr-type-of-incident": "Espionage", "cfr-type-of-incident": "Espionage",
"country": "IR", "country": "IR",
"refs": [ "refs": [
"https://www.cfr.org/interactive/cyber-operations/magic-hound",
"https://www.secureworks.com/research/the-curious-case-of-mia-ash", "https://www.secureworks.com/research/the-curious-case-of-mia-ash",
"https://www.cfr.org/interactive/cyber-operations/operation-cleaver", "\"https://www.cfr.org/interactive/cyber-operations/operation-cleaver",
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf",
"http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/",
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing",
"https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/",
"https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations",
"https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/", "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/",
"https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf",
"https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf",
"https://attack.mitre.org/groups/G0059/", "https://attack.mitre.org/groups/G0003/",
"https://attack.mitre.org/groups/G0003/" "https://xorl.wordpress.com/2021/05/06/iran-cyber-operations-groups/",
"https://www.secureworks.com/research/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles",
"https://know.netenrich.com/threatintel/threat_actor/Cutting%20Kitten",
"https://www.cfr.org/cyber-operations/operation-cleaver",
"https://securityaffairs.co/wordpress/33682/cyber-crime/ali-baba-apt-middle-east.html",
"https://scadahacker.com/library/Documents/Cyber_Events/Cylance%20-%20Operation%20Cleaver%20Report.pdf"
], ],
"synonyms": [ "synonyms": [
"Operation Cleaver", "Operation Cleaver",
"Op Cleaver",
"Tarh Andishan", "Tarh Andishan",
"Alibaba", "Alibaba",
"2889",
"TG-2889", "TG-2889",
"Cobalt Gypsy", "Cobalt Gypsy",
"Rocket_Kitten",
"Cutting Kitten",
"Group 41",
"Magic Hound",
"APT35",
"APT 35",
"TEMP.Beanie",
"Ghambar",
"G0059",
"G0003" "G0003"
] ]
}, },
@ -2267,13 +2215,6 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48",
"tags": [ "tags": [
@ -5978,13 +5919,29 @@
"attribution-confidence": "50", "attribution-confidence": "50",
"country": "IR", "country": "IR",
"refs": [ "refs": [
"https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf",
"https://attack.mitre.org/groups/G0059/",
"https://www.cfr.org/interactive/cyber-operations/magic-hound",
"https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/",
"https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html",
"https://www.cfr.org/cyber-operations/apt-35"
], ],
"synonyms": [ "synonyms": [
"APT 35", "APT 35",
"Newscaster Team" "Newscaster Team",
"Magic Hound",
"G0059"
] ]
}, },
"related": [
{
"dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", "uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e",
"value": "APT35" "value": "APT35"
}, },