From 97690426bfbc2572b6c6ca251f68cf1c09986476 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 18 Mar 2022 16:41:10 +0100 Subject: [PATCH 01/13] update threat actors meta --- clusters/threat-actor.json | 177 ++++++++++++++++++++++++++++++------- 1 file changed, 143 insertions(+), 34 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8e42f7a..9616346 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -67,7 +67,8 @@ "Brown Fox", "GIF89a", "ShadyRAT", - "Shanghai Group" + "Shanghai Group", + "G0006" ] }, "related": [ @@ -278,8 +279,10 @@ "MSUpdater", "4HCrew", "SULPHUR", + "Sulphur", "SearchFire", - "TG-6952" + "TG-6952", + "G0024" ] }, "related": [ @@ -325,7 +328,9 @@ "Buckeye", "Boyusec", "BORON", - "BRONZE MAYFAIR" + "BRONZE MAYFAIR", + "Bronze Mayfair", + "G0022" ] }, "related": [ @@ -425,12 +430,16 @@ "BeeBus", "Group 22", "DynCalc", + "DynCALC", "Calc Team", "DNSCalc", "Crimson Iron", "APT12", "APT 12", - "BRONZE GLOBE" + "BRONZE GLOBE", + "Bronze GLOBE", + "G0005", + "CTG-8223" ] }, "related": [ @@ -465,7 +474,8 @@ ], "synonyms": [ "APT16", - "SVCMONDR" + "SVCMONDR", + "G0023" ] }, "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf", @@ -504,7 +514,17 @@ "Hidden Lynx", "Tailgater Team", "Dogfish", - "BRONZE KEYSTONE" + "BRONZE KEYSTONE", + "Bronze KEYSTONE", + "TEMP.Avengers", + "Sneaky Panda", + "Barium", + "G0025", + "G0066", + "TG-8153", + "ATK 2", + "Elderwood", + "Group 72" ] }, "related": [ @@ -564,8 +584,11 @@ "TG-0416", "APT 18", "SCANDIUM", + "Scandium", + "G0026", "PLA Navy", - "APT18" + "APT18", + "Wekby" ] }, "related": [ @@ -726,12 +749,20 @@ "Deep Panda", "WebMasters", "APT 19", + "APT19", "KungFu Kittens", "Black Vine", "Group 13", "PinkPanther", "Sh3llCr3w", - "BRONZE FIRESTONE" + "BRONZE FIRESTONE", + "Bronze FIRESTONE", + "Sunshop Group", + "C0d0s0", + "G0009", + "G0073", + "TG-3551", + "Pupa" ] }, "related": [ @@ -1103,12 +1134,21 @@ "menuPass Team", "happyyongzi", "POTASSIUM", + "Potassium", "DustStorm", "Red Apollo", "CVNX", "HOGFISH", + "Hogfish", "Cloud Hopper", - "BRONZE RIVERSIDE" + "BRONZE RIVERSIDE", + "TA 429", + "G0045", + "ITG01", + "Bronze RIVERSIDE", + "CTG-5938", + "ATK 41", + "Cicada" ] }, "related": [ @@ -1132,9 +1172,10 @@ ], "synonyms": [ "APT 9", - "Flowerlady/Flowershow", + "APT9", "Flowerlady", - "Flowershow" + "Flowershow", + "Group 27 " ] }, "uuid": "401dd2c9-bd4f-4814-bb87-701e38f18d45", @@ -1233,7 +1274,12 @@ "Lurid", "Social Network Team", "Royal APT", - "BRONZE PALACE" + "BRONZE PALACE", + "Bronze PALACE", + "G0004", + "Bronze DAVENPORT", + "Bronze IDLEWOOD", + "CTG-9246" ] }, "uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8", @@ -1266,7 +1312,8 @@ "APT14", "APT 14", "QAZTeam", - "ALUMINUM" + "ALUMINUM", + "Aluminum" ] }, "related": [ @@ -2817,7 +2864,17 @@ "GOLD NIAGARA", "Calcium", "Carbanak", - "FIN 7" + "FIN 7", + "ELBRUS", + "G0046", + "ITG14", + "Magecart Group 7", + "Gold NIAGARA", + "Anunak", + "ATK 32", + "APT-C-11", + "Navigator", + "TelePort Crew" ] }, "related": [ @@ -2932,7 +2989,8 @@ "synonyms": [ "FIN4", "FIN 4", - "Wolf Spider" + "Wolf Spider", + "G0085" ] }, "uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57", @@ -3682,7 +3740,14 @@ "MageCart Group 6", "White Giant", "GOLD FRANKLIN", - "FIN 6" + "FIN 6", + "G0037", + "ITG08", + "Magecart Group 6", + "Gold FRANKLIN", + "White Giant", + "ATK 88", + "APT-C-01" ] }, "related": [ @@ -4607,7 +4672,9 @@ "https://attack.mitre.org/groups/G0061" ], "synonyms": [ - "FIN 8" + "FIN 8", + "G0061", + "ATK113" ] }, "related": [ @@ -4705,7 +4772,8 @@ "https://attack.mitre.org/groups/G0062/" ], "synonyms": [ - "TA 459" + "TA 459", + "G0062" ] }, "related": [ @@ -4775,6 +4843,7 @@ { "description": "We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies. More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors. Several times, APT5 has targeted organizations and personnel based in Southeast Asia. APT5 has been active since at least 2007. It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. APT5 has targeted or breached organizations across multiple industries, but its focus appears to be on telecommunications and technology companies, especially information about satellite communications. \nAPT5 targeted the network of an electronics firm that sells products for both industrial and military applications. The group subsequently stole communications related to the firm’s business relationship with a national military, including inventories and memoranda about specific products they provided. \nIn one case in late 2014, APT5 breached the network of an international telecommunications company. The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company’s relationships with other telecommunications companies", "meta": { + "country": "CN", "refs": [ "https://www.fireeye.com/current-threats/apt-groups.html", "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf", @@ -4782,7 +4851,19 @@ ], "synonyms": [ "MANGANESE", - "BRONZE FLEETWOOD" + "BRONZE FLEETWOOD", + "APT 5", + "UNC2630", + "Poisoned Flight", + "Keyhole Panda", + "Pitty Panda", + "Manganese", + "G0011", + "Bronze FLEETWOOD", + "TG-2754", + "PittyTiger", + "DPD", + "TEMP.Bottle" ] }, "uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795", @@ -5113,7 +5194,11 @@ "APT4", "APT 4", "BRONZE EDISON", - "Sykipot" + "Bronze EDISON", + "Sykipot", + "Samurai Panda", + "TG-0623", + "Wisp Team" ] }, "uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b", @@ -6710,7 +6795,9 @@ "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" ], "synonyms": [ - "Indrik Spider" + "Indrik Spider", + "G0119", + "Gold DRAKE" ] }, "uuid": "658314bc-3bb8-48d2-913a-c528607b75c8", @@ -6851,7 +6938,13 @@ "Dudear", "TA 505", "Graceful Spider", - "TEMP.Warlock" + "TEMP.Warlock", + "Chimborazo", + "G0092", + "Hive0065", + "Gold TAHOE", + "ATK 103", + "SectorJ04" ] }, "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", @@ -6914,7 +7007,10 @@ "TA542", "GOLD CRESTWOOD", "Mummy Spider", - "TA 542" + "TA 542", + "Gold CRESTWOOD", + "ATK104", + "Mealybug" ] }, "uuid": "c93281be-f6cd-4cd0-a5a3-defde9d77d8b", @@ -7247,7 +7343,10 @@ "COBALT DICKENS", "Mabna Institute", "TA407", - "TA 407" + "TA 407", + "Yellow Nabu", + "SilentLibrarian", + "Silent Librarian" ] }, "uuid": "5059b44d-2753-4977-b987-4922f09afe6b", @@ -7348,7 +7447,8 @@ "https://attack.mitre.org/groups/G0053/" ], "synonyms": [ - "FIN 5" + "FIN 5", + "G0053" ] }, "uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70", @@ -7376,7 +7476,8 @@ "https://attack.mitre.org/groups/G0051/" ], "synonyms": [ - "FIN 10" + "FIN 10", + "G0051" ] }, "uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79", @@ -7657,7 +7758,8 @@ "synonyms": [ "Temp.Hex", "Vicious Panda", - "TA 428" + "TA 428", + "Bronze DUDLEY" ] }, "uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d", @@ -7780,7 +7882,8 @@ ], "synonyms": [ "LookBack", - "TA 410" + "TA 410", + "TALONITE" ] }, "uuid": "5cd95926-0098-435e-892d-9c9f61763ad7", @@ -8092,7 +8195,8 @@ "GOLD ESSEX", "TA544", "TA 544", - "Narwhal Spider" + "Narwhal Spider", + "Gold ESSEX" ] }, "uuid": "fda9cdea-0017-495e-879d-0f348db2aa07", @@ -8384,7 +8488,8 @@ "TEMP.Warlock", "FIN 11", "UNC902", - "Graceful Spider" + "Graceful Spider", + "Gold Evergreen" ] }, "uuid": "c01aadc6-1087-4e8e-8d5c-a27eba409fe3", @@ -8540,7 +8645,8 @@ "synonyms": [ "UNC1151", "TA 445", - "TA445" + "TA445", + "UAC-0051" ] }, "uuid": "749aaa11-f0fd-416b-bf6c-112f9b5930a5", @@ -8759,7 +8865,8 @@ "Shakthak", "TA551", "TA 551", - "Lunar Spider" + "Lunar Spider", + "G0127" ] }, "uuid": "36e8c848-4d20-47ea-9fc2-31aa17bf82d1", @@ -9058,7 +9165,8 @@ ], "synonyms": [ "Scully Spider", - "TA 547" + "TA 547", + "TH-163" ] }, "uuid": "29fbc8d4-1e6e-4edc-9887-bdf47f36e4c1", @@ -9071,7 +9179,8 @@ "https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf" ], "synonyms": [ - "TH-163" + "TH-163", + "TA 554" ] }, "uuid": "36f1a1b8-e03a-484f-95a3-005345679cbe", From c35fad32917c2e7072096a68fea1c7a2c1430c27 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Mon, 28 Mar 2022 12:11:34 +0200 Subject: [PATCH 02/13] Add threat actor group Scarab --- clusters/threat-actor.json | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4815b45..64241ba 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9051,6 +9051,24 @@ }, "uuid": "d9e5be22-1a04-4956-af6c-37af02330980", "value": "LAPSUS" + }, + { + "description": "Scarab APT was first spotted in 2015, but is believed to have been active since at least 2012, conducting surgical attacks against a small number of individuals across the world, including Russia and the United States. The backdoor deployed by Scarab in their campaigns is most commonly known as Scieron.", + "meta": { + "cfr-suspected-victims": [ + "Russia", + "Ukraine", + "United States" + ], + "cfr-type-of-incident": "Espionage", + "country": "CN", + "refs": [ + "https://web.archive.org/web/20150124025612/http://www.symantec.com:80/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012", + "https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine" + ] + }, + "uuid": "ef59014b-79bb-408f-97f1-3c585a240ca7", + "value": "Scarab" } ], "version": 215 From a9a09d11c6d75d5d740e7652e404e3c5d50732ef Mon Sep 17 00:00:00 2001 From: Sami Mokaddem Date: Thu, 31 Mar 2022 08:59:36 +0200 Subject: [PATCH 03/13] chg: jq all --- clusters/android.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/android.json b/clusters/android.json index c8b24bb..26dd40d 100644 --- a/clusters/android.json +++ b/clusters/android.json @@ -4656,4 +4656,4 @@ } ], "version": 20 -} +} \ No newline at end of file From 04a560efa6a388ed81194911cc199615ef1074a3 Mon Sep 17 00:00:00 2001 From: Sami Mokaddem Date: Thu, 31 Mar 2022 08:59:42 +0200 Subject: [PATCH 04/13] chg: [mitre-attack] Bumped matrix structure --- galaxies/mitre-attack-pattern.json | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/galaxies/mitre-attack-pattern.json b/galaxies/mitre-attack-pattern.json index 930ce96..5bf1ad4 100644 --- a/galaxies/mitre-attack-pattern.json +++ b/galaxies/mitre-attack-pattern.json @@ -3,6 +3,8 @@ "icon": "map", "kill_chain_order": { "mitre-attack": [ + "reconnaissance", + "resource-development", "initial-access", "execution", "persistence", @@ -18,16 +20,17 @@ ], "mitre-mobile-attack": [ "initial-access", + "execution", "persistence", "privilege-escalation", "defense-evasion", "credential-access", "discovery", "lateral-movement", - "effects", "collection", - "exfiltration", "command-and-control", + "exfiltration", + "impact", "network-effects", "remote-service-effects" ], @@ -53,5 +56,5 @@ "namespace": "mitre-attack", "type": "mitre-attack-pattern", "uuid": "c4e851fa-775f-11e7-8163-b774922098cd", - "version": 8 + "version": 9 } From 4242732af18c873e192a8450bac466bd59742b91 Mon Sep 17 00:00:00 2001 From: Sami Mokaddem Date: Thu, 31 Mar 2022 09:05:22 +0200 Subject: [PATCH 05/13] chg: jq all 2 --- clusters/android.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/android.json b/clusters/android.json index 26dd40d..c8b24bb 100644 --- a/clusters/android.json +++ b/clusters/android.json @@ -4656,4 +4656,4 @@ } ], "version": 20 -} \ No newline at end of file +} From 0f7803b0911bb112d1ba454e5513d9e167761061 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 1 Apr 2022 16:00:27 +0200 Subject: [PATCH 06/13] update threat actors meta --- clusters/threat-actor.json | 228 +++++++++++++++++++++++++++++++++---- 1 file changed, 205 insertions(+), 23 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9616346..f0d8766 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -668,10 +668,14 @@ "LEAD", "WICKED SPIDER", "WICKED PANDA", + "Wicked Panda", "BARIUM", "BRONZE ATLAS", "BRONZE EXPORT", - "Red Kelpie" + "Red Kelpie", + "G0044", + "G0096", + "TG-2633" ] }, "related": [ @@ -1068,7 +1072,13 @@ "ZipToken", "Iron Tiger", "BRONZE UNION", - "Lucky Mouse" + "Bronze Union", + "Lucky Mouse", + "LuckyMouse", + "Emissary Panda", + "G0027", + "ATK 15", + "ATK15" ] }, "related": [ @@ -1610,7 +1620,10 @@ "APT20", "APT 20", "TH3Bug", - "Twivy" + "Twivy", + "APT 8", + "APT8", + "G0116" ] }, "uuid": "8bcd855f-a4c1-453a-bede-ff36582f4f40", @@ -1692,7 +1705,9 @@ "KeyBoy", "TropicTrooper", "Tropic Trooper", - "BRONZE HOBART" + "BRONZE HOBART", + "Bronze Hobart", + "G0081" ] }, "uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee", @@ -2015,9 +2030,16 @@ "APT 33", "Elfin", "MAGNALLIUM", + "Magnallium", "Refined Kitten", "HOLMIUM", - "COBALT TRINITY" + "Holmium", + "COBALT TRINITY", + "COBALT Trinity", + "TA 451", + "G0064", + "ATK 35", + "Group 83" ] }, "related": [ @@ -2228,7 +2250,18 @@ "APT35", "APT 35", "TEMP.Beanie", - "Ghambar" + "Ghambar", + "TA 453", + "NewsBeef", + "Charming Kitten", + "Phosphorus", + "G0003", + "G0059", + "COBALT illusion", + "Timberworm", + "C-Major", + "Newscaster", + "TunnelVision" ] }, "related": [ @@ -2301,6 +2334,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", @@ -2435,6 +2475,7 @@ "Fancy Bear", "Sednit", "SNAKEMACKEREL", + "Snakemackerel", "TsarTeam", "Tsar Team", "TG-4127", @@ -2443,10 +2484,20 @@ "TAG_0700", "Swallowtail", "IRON TWILIGHT", + "Iron Twilight", "Group 74", "SIG40", "Grizzly Steppe", - "apt_sofacy" + "apt_sofacy", + "TA 422", + "Strontium", + "G0007", + "ITG05", + "ATK 5", + "ATK5", + "Swallowtail", + "T-APT-12", + "APT-C-20" ] }, "related": [ @@ -2513,6 +2564,7 @@ "CozyDuke", "EuroAPT", "CozyBear", + "Cozy Bear", "CozyCar", "Cozer", "Office Monkeys", @@ -2524,8 +2576,15 @@ "SeaDuke", "Hammer Toss", "YTTRIUM", + "Yttrium", "Iron Hemlock", - "Grizzly Steppe" + "Grizzly Steppe", + "TA 421", + "CloudLook", + "G0016", + "ITG11", + "ATK7", + "ATK 7" ] }, "related": [ @@ -3166,7 +3225,20 @@ "Nickel Academy", "APT-C-26", "NICKEL GLADSTONE", - "COVELLITE" + "COVELLITE", + "Stardust Chollima", + "G0082", + "G0032", + "ITG03", + "Hive0080", + "CTG-6459", + "Lazarus", + "ATK 117", + "T-APT-15", + "Klipodenc", + "SectorA01", + "BeagleBoyz", + "NESTEGG" ] }, "related": [ @@ -3332,8 +3404,11 @@ "APT36", "APT 36", "TMP.Lapis", + "TEMP.Lapis", "Green Havildar", - "COPPER FIELDSTONE" + "COPPER FIELDSTONE", + "G0134", + "APT-C-56" ] }, "related": [ @@ -3431,7 +3506,14 @@ "Sarit", "Quilted Tiger", "APT-C-09", - "ZINC EMERSON" + "ZINC EMERSON", + "Confucius", + "ATK 11", + "TG-4410", + "G0040", + "G0089", + "Viceroy Tiger", + "Dropping Elephant" ] }, "related": [ @@ -3627,7 +3709,13 @@ "https://www.cfr.org/interactive/cyber-operations/apt-30" ], "synonyms": [ - "APT30" + "APT30", + "Naikon", + "Override Panda", + "G0019", + "G0013", + "BRONZE STERLING", + "CTG-5326" ] }, "related": [ @@ -3847,7 +3935,13 @@ "Helix Kitten", "APT 34", "APT34", - "IRN2" + "IRN2", + "TA 452", + "G0049", + "G0116", + "ITG13", + "ATK 40", + "Chrysene" ] }, "related": [ @@ -4513,7 +4607,11 @@ "Ocean Buffalo", "POND LOACH", "TIN WOODLAWN", - "BISMUTH" + "Tin Woodlawn", + "Woodlawn", + "BISMUTH", + "G0050", + "SectorF01" ] }, "related": [ @@ -4825,7 +4923,9 @@ "synonyms": [ "CactusPete", "Karma Panda", - "BRONZE HUNTLEY" + "BRONZE HUNTLEY", + "Bronze HUNTLEY", + "G0131" ] }, "uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26", @@ -4879,7 +4979,11 @@ ], "synonyms": [ "APT22", - "BRONZE OLIVE" + "BRONZE OLIVE", + "Bronze Olive", + "Group 46", + "Suckfly", + "G0039" ] }, "uuid": "7a2457d6-148a-4ce1-9e79-aa43352ee842", @@ -4944,7 +5048,14 @@ "Hippo Team", "JerseyMikes", "Turbine Panda", - "BRONZE EXPRESS" + "BRONZE EXPRESS", + "Bronze Express", + "KungFu Kittens", + "WebMasters", + "Black Vine", + "Group 13", + "Shell Crew", + "PinkPanther" ] }, "related": [ @@ -5800,7 +5911,15 @@ "Red Eyes", "Ricochet Chollima", "ScarCruft", - "Venus 121" + "Venus 121", + "TEMP.Reaper", + "Thallium", + "G0067", + "ITG10", + "ATK 4", + "Hermit", + "Geumseong121", + "Hidden Cobra" ] }, "related": [ @@ -5886,8 +6005,16 @@ "APT 40", "APT40", "BRONZE MOHAWK", + "Bronze Mohawk", "GADOLINIUM", - "Kryptonite Panda" + "Gadolinium", + "Kryptonite Panda", + "G0065", + "ITG09", + "ATK29", + "Flaccid Rose", + "Nanhaishu", + "Mudcarp" ] }, "related": [ @@ -5915,6 +6042,15 @@ "Newscaster Team" ] }, + "related": [ + { + "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", "value": "APT35" }, @@ -6079,6 +6215,7 @@ "Private sector" ], "cfr-type-of-incident": "Espionage", + "country": "RU", "mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details", "refs": [ "https://dragos.com/adversaries.html", @@ -6089,7 +6226,10 @@ "synonyms": [ "Dragonfly 2.0", "Dragonfly2", - "Berserker Bear" + "Berserker Bear", + "Berserk Bear", + "G0074", + "Dymalloy" ], "victimology": "Turkey, Europe, US" }, @@ -6531,6 +6671,12 @@ "refs": [ "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" + ], + "synonyms": [ + "G0112", + "Urpage", + "EHDevel", + "WindShift" ] }, "uuid": "dc3edacc-bb24-11e8-81fb-8c16458922a7", @@ -7079,7 +7225,11 @@ "APT 39", "Chafer", "REMIX KITTEN", - "COBALT HICKMAN" + "Remix Kitten", + "COBALT HICKMAN", + "TA 454", + "G0087", + "ITG07" ] }, "uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b", @@ -7381,9 +7531,13 @@ ], "synonyms": [ "APT 31", + "APT31", "ZIRCONIUM", + "Zirconium", "JUDGMENT PANDA", - "BRONZE VINEWOOD" + "Judgment Panda", + "BRONZE VINEWOOD", + "G0128" ] }, "uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c", @@ -7927,6 +8081,7 @@ { "description": "For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, India, Kazakhstan, Russia, Thailand, Turkey. Our data suggest that the group has Asian roots. Description translated from Russian.", "meta": { + "country": "CN", "refs": [ "https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf" ], @@ -9225,7 +9380,34 @@ }, "uuid": "d45dd940-b38d-4b2c-9f2f-3e4a0eac841c", "value": "MosesStaff" + }, + { + "description": "The group’s existence came to light during Context’s investigation of a number of attacks against multinational enterprises that compromise smaller engineering services and consultancies working in their supply chains.", + "meta": { + "country": "CN", + "refs": [ + "https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers" + ] + }, + "uuid": "8045fc09-13d6-4f90-b239-ed5060b9297b", + "value": "Avivore" + }, + { + "description": "The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released in 2014 were based on the AndroRAT framework. Over time, they switched to a custom version that has been known as BitterRAT ever since.", + "meta": { + "country": "IN", + "refs": [ + "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf" + ], + "synonyms": [ + "BitterAPT", + "T-APT-17", + "APT-C-08" + ] + }, + "uuid": "1e9bd6fe-e009-41ce-8e92-ad78c73ee772", + "value": "Bitter" } ], - "version": 214 + "version": 216 } From dcc396108ccfe7e6614010463f9f8c8e33ca55bb Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 1 Apr 2022 16:36:47 +0200 Subject: [PATCH 07/13] fix duplicate --- clusters/threat-actor.json | 1 - 1 file changed, 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 27de3da..8f9d3d6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3840,7 +3840,6 @@ "ITG08", "Magecart Group 6", "Gold FRANKLIN", - "White Giant", "ATK 88", "APT-C-01" ] From 7c3e8ac068dd9fa7a0e019487dfe3b33321f0bf3 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 1 Apr 2022 16:40:40 +0200 Subject: [PATCH 08/13] fix duplicate --- clusters/threat-actor.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8f9d3d6..8f5028a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3837,8 +3837,6 @@ "GOLD FRANKLIN", "FIN 6", "G0037", - "ITG08", - "Magecart Group 6", "Gold FRANKLIN", "ATK 88", "APT-C-01" From 909fc09992f846021e4d189694f535ee6871e936 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 1 Apr 2022 16:44:47 +0200 Subject: [PATCH 09/13] duplicate --- clusters/threat-actor.json | 1 - 1 file changed, 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8f5028a..cd2f81c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3225,7 +3225,6 @@ "APT-C-26", "NICKEL GLADSTONE", "COVELLITE", - "Stardust Chollima", "G0082", "G0032", "ITG03", From fb557fd3a25e3ff03c24971e0e216ec3a17638c0 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 1 Apr 2022 16:47:50 +0200 Subject: [PATCH 10/13] dup --- clusters/threat-actor.json | 1 - 1 file changed, 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index cd2f81c..9d5755c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2570,7 +2570,6 @@ "Office Monkeys", "OfficeMonkeys", "APT29", - "Cozy Bear", "The Dukes", "Minidionis", "SeaDuke", From 73f71c8b154e25c979db2d2a75a1eaa0460bdaee Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 1 Apr 2022 16:51:27 +0200 Subject: [PATCH 11/13] dup --- clusters/threat-actor.json | 1 - 1 file changed, 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9d5755c..4c96b73 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2495,7 +2495,6 @@ "ITG05", "ATK 5", "ATK5", - "Swallowtail", "T-APT-12", "APT-C-20" ] From 50f39edc1022eeaf32f8f33b94306402c8b42e8e Mon Sep 17 00:00:00 2001 From: Rony Date: Sat, 2 Apr 2022 00:55:38 +0530 Subject: [PATCH 12/13] Revert "update threat actors meta" --- clusters/threat-actor.json | 427 +++++-------------------------------- 1 file changed, 51 insertions(+), 376 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4c96b73..64241ba 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -67,8 +67,7 @@ "Brown Fox", "GIF89a", "ShadyRAT", - "Shanghai Group", - "G0006" + "Shanghai Group" ] }, "related": [ @@ -279,10 +278,8 @@ "MSUpdater", "4HCrew", "SULPHUR", - "Sulphur", "SearchFire", - "TG-6952", - "G0024" + "TG-6952" ] }, "related": [ @@ -328,9 +325,7 @@ "Buckeye", "Boyusec", "BORON", - "BRONZE MAYFAIR", - "Bronze Mayfair", - "G0022" + "BRONZE MAYFAIR" ] }, "related": [ @@ -430,16 +425,12 @@ "BeeBus", "Group 22", "DynCalc", - "DynCALC", "Calc Team", "DNSCalc", "Crimson Iron", "APT12", "APT 12", - "BRONZE GLOBE", - "Bronze GLOBE", - "G0005", - "CTG-8223" + "BRONZE GLOBE" ] }, "related": [ @@ -474,8 +465,7 @@ ], "synonyms": [ "APT16", - "SVCMONDR", - "G0023" + "SVCMONDR" ] }, "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf", @@ -514,17 +504,7 @@ "Hidden Lynx", "Tailgater Team", "Dogfish", - "BRONZE KEYSTONE", - "Bronze KEYSTONE", - "TEMP.Avengers", - "Sneaky Panda", - "Barium", - "G0025", - "G0066", - "TG-8153", - "ATK 2", - "Elderwood", - "Group 72" + "BRONZE KEYSTONE" ] }, "related": [ @@ -584,11 +564,8 @@ "TG-0416", "APT 18", "SCANDIUM", - "Scandium", - "G0026", "PLA Navy", - "APT18", - "Wekby" + "APT18" ] }, "related": [ @@ -668,14 +645,10 @@ "LEAD", "WICKED SPIDER", "WICKED PANDA", - "Wicked Panda", "BARIUM", "BRONZE ATLAS", "BRONZE EXPORT", - "Red Kelpie", - "G0044", - "G0096", - "TG-2633" + "Red Kelpie" ] }, "related": [ @@ -753,20 +726,12 @@ "Deep Panda", "WebMasters", "APT 19", - "APT19", "KungFu Kittens", "Black Vine", "Group 13", "PinkPanther", "Sh3llCr3w", - "BRONZE FIRESTONE", - "Bronze FIRESTONE", - "Sunshop Group", - "C0d0s0", - "G0009", - "G0073", - "TG-3551", - "Pupa" + "BRONZE FIRESTONE" ] }, "related": [ @@ -1072,13 +1037,7 @@ "ZipToken", "Iron Tiger", "BRONZE UNION", - "Bronze Union", - "Lucky Mouse", - "LuckyMouse", - "Emissary Panda", - "G0027", - "ATK 15", - "ATK15" + "Lucky Mouse" ] }, "related": [ @@ -1144,21 +1103,12 @@ "menuPass Team", "happyyongzi", "POTASSIUM", - "Potassium", "DustStorm", "Red Apollo", "CVNX", "HOGFISH", - "Hogfish", "Cloud Hopper", - "BRONZE RIVERSIDE", - "TA 429", - "G0045", - "ITG01", - "Bronze RIVERSIDE", - "CTG-5938", - "ATK 41", - "Cicada" + "BRONZE RIVERSIDE" ] }, "related": [ @@ -1182,10 +1132,9 @@ ], "synonyms": [ "APT 9", - "APT9", + "Flowerlady/Flowershow", "Flowerlady", - "Flowershow", - "Group 27 " + "Flowershow" ] }, "uuid": "401dd2c9-bd4f-4814-bb87-701e38f18d45", @@ -1284,12 +1233,7 @@ "Lurid", "Social Network Team", "Royal APT", - "BRONZE PALACE", - "Bronze PALACE", - "G0004", - "Bronze DAVENPORT", - "Bronze IDLEWOOD", - "CTG-9246" + "BRONZE PALACE" ] }, "uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8", @@ -1322,8 +1266,7 @@ "APT14", "APT 14", "QAZTeam", - "ALUMINUM", - "Aluminum" + "ALUMINUM" ] }, "related": [ @@ -1620,10 +1563,7 @@ "APT20", "APT 20", "TH3Bug", - "Twivy", - "APT 8", - "APT8", - "G0116" + "Twivy" ] }, "uuid": "8bcd855f-a4c1-453a-bede-ff36582f4f40", @@ -1705,9 +1645,7 @@ "KeyBoy", "TropicTrooper", "Tropic Trooper", - "BRONZE HOBART", - "Bronze Hobart", - "G0081" + "BRONZE HOBART" ] }, "uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee", @@ -2030,16 +1968,9 @@ "APT 33", "Elfin", "MAGNALLIUM", - "Magnallium", "Refined Kitten", "HOLMIUM", - "Holmium", - "COBALT TRINITY", - "COBALT Trinity", - "TA 451", - "G0064", - "ATK 35", - "Group 83" + "COBALT TRINITY" ] }, "related": [ @@ -2250,18 +2181,7 @@ "APT35", "APT 35", "TEMP.Beanie", - "Ghambar", - "TA 453", - "NewsBeef", - "Charming Kitten", - "Phosphorus", - "G0003", - "G0059", - "COBALT illusion", - "Timberworm", - "C-Major", - "Newscaster", - "TunnelVision" + "Ghambar" ] }, "related": [ @@ -2334,13 +2254,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", @@ -2475,7 +2388,6 @@ "Fancy Bear", "Sednit", "SNAKEMACKEREL", - "Snakemackerel", "TsarTeam", "Tsar Team", "TG-4127", @@ -2484,19 +2396,10 @@ "TAG_0700", "Swallowtail", "IRON TWILIGHT", - "Iron Twilight", "Group 74", "SIG40", "Grizzly Steppe", - "apt_sofacy", - "TA 422", - "Strontium", - "G0007", - "ITG05", - "ATK 5", - "ATK5", - "T-APT-12", - "APT-C-20" + "apt_sofacy" ] }, "related": [ @@ -2563,26 +2466,19 @@ "CozyDuke", "EuroAPT", "CozyBear", - "Cozy Bear", "CozyCar", "Cozer", "Office Monkeys", "OfficeMonkeys", "APT29", + "Cozy Bear", "The Dukes", "Minidionis", "SeaDuke", "Hammer Toss", "YTTRIUM", - "Yttrium", "Iron Hemlock", - "Grizzly Steppe", - "TA 421", - "CloudLook", - "G0016", - "ITG11", - "ATK7", - "ATK 7" + "Grizzly Steppe" ] }, "related": [ @@ -2918,19 +2814,7 @@ "synonyms": [ "CARBON SPIDER", "GOLD NIAGARA", - "Calcium", - "Carbanak", - "FIN 7", - "ELBRUS", - "G0046", - "ITG14", - "Magecart Group 7", - "Gold NIAGARA", - "Anunak", - "ATK 32", - "APT-C-11", - "Navigator", - "TelePort Crew" + "Calcium" ] }, "related": [ @@ -3043,10 +2927,7 @@ "https://attack.mitre.org/groups/G0085/" ], "synonyms": [ - "FIN4", - "FIN 4", - "Wolf Spider", - "G0085" + "FIN4" ] }, "uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57", @@ -3222,19 +3103,7 @@ "Nickel Academy", "APT-C-26", "NICKEL GLADSTONE", - "COVELLITE", - "G0082", - "G0032", - "ITG03", - "Hive0080", - "CTG-6459", - "Lazarus", - "ATK 117", - "T-APT-15", - "Klipodenc", - "SectorA01", - "BeagleBoyz", - "NESTEGG" + "COVELLITE" ] }, "related": [ @@ -3412,11 +3281,8 @@ "APT36", "APT 36", "TMP.Lapis", - "TEMP.Lapis", "Green Havildar", - "COPPER FIELDSTONE", - "G0134", - "APT-C-56" + "COPPER FIELDSTONE" ] }, "related": [ @@ -3514,14 +3380,7 @@ "Sarit", "Quilted Tiger", "APT-C-09", - "ZINC EMERSON", - "Confucius", - "ATK 11", - "TG-4410", - "G0040", - "G0089", - "Viceroy Tiger", - "Dropping Elephant" + "ZINC EMERSON" ] }, "related": [ @@ -3717,13 +3576,7 @@ "https://www.cfr.org/interactive/cyber-operations/apt-30" ], "synonyms": [ - "APT30", - "Naikon", - "Override Panda", - "G0019", - "G0013", - "BRONZE STERLING", - "CTG-5326" + "APT30" ] }, "related": [ @@ -3831,12 +3684,7 @@ "ITG08", "MageCart Group 6", "White Giant", - "GOLD FRANKLIN", - "FIN 6", - "G0037", - "Gold FRANKLIN", - "ATK 88", - "APT-C-01" + "GOLD FRANKLIN" ] }, "related": [ @@ -3936,13 +3784,7 @@ "Helix Kitten", "APT 34", "APT34", - "IRN2", - "TA 452", - "G0049", - "G0116", - "ITG13", - "ATK 40", - "Chrysene" + "IRN2" ] }, "related": [ @@ -4608,11 +4450,7 @@ "Ocean Buffalo", "POND LOACH", "TIN WOODLAWN", - "Tin Woodlawn", - "Woodlawn", - "BISMUTH", - "G0050", - "SectorF01" + "BISMUTH" ] }, "related": [ @@ -4769,11 +4607,6 @@ "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf", "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "https://attack.mitre.org/groups/G0061" - ], - "synonyms": [ - "FIN 8", - "G0061", - "ATK113" ] }, "related": [ @@ -4869,10 +4702,6 @@ "refs": [ "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts", "https://attack.mitre.org/groups/G0062/" - ], - "synonyms": [ - "TA 459", - "G0062" ] }, "related": [ @@ -4924,9 +4753,7 @@ "synonyms": [ "CactusPete", "Karma Panda", - "BRONZE HUNTLEY", - "Bronze HUNTLEY", - "G0131" + "BRONZE HUNTLEY" ] }, "uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26", @@ -4944,7 +4771,6 @@ { "description": "We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies. More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors. Several times, APT5 has targeted organizations and personnel based in Southeast Asia. APT5 has been active since at least 2007. It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. APT5 has targeted or breached organizations across multiple industries, but its focus appears to be on telecommunications and technology companies, especially information about satellite communications. \nAPT5 targeted the network of an electronics firm that sells products for both industrial and military applications. The group subsequently stole communications related to the firm’s business relationship with a national military, including inventories and memoranda about specific products they provided. \nIn one case in late 2014, APT5 breached the network of an international telecommunications company. The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company’s relationships with other telecommunications companies", "meta": { - "country": "CN", "refs": [ "https://www.fireeye.com/current-threats/apt-groups.html", "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf", @@ -4952,19 +4778,7 @@ ], "synonyms": [ "MANGANESE", - "BRONZE FLEETWOOD", - "APT 5", - "UNC2630", - "Poisoned Flight", - "Keyhole Panda", - "Pitty Panda", - "Manganese", - "G0011", - "Bronze FLEETWOOD", - "TG-2754", - "PittyTiger", - "DPD", - "TEMP.Bottle" + "BRONZE FLEETWOOD" ] }, "uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795", @@ -4980,11 +4794,7 @@ ], "synonyms": [ "APT22", - "BRONZE OLIVE", - "Bronze Olive", - "Group 46", - "Suckfly", - "G0039" + "BRONZE OLIVE" ] }, "uuid": "7a2457d6-148a-4ce1-9e79-aa43352ee842", @@ -5049,14 +4859,7 @@ "Hippo Team", "JerseyMikes", "Turbine Panda", - "BRONZE EXPRESS", - "Bronze Express", - "KungFu Kittens", - "WebMasters", - "Black Vine", - "Group 13", - "Shell Crew", - "PinkPanther" + "BRONZE EXPRESS" ] }, "related": [ @@ -5306,11 +5109,7 @@ "APT4", "APT 4", "BRONZE EDISON", - "Bronze EDISON", - "Sykipot", - "Samurai Panda", - "TG-0623", - "Wisp Team" + "Sykipot" ] }, "uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b", @@ -5912,15 +5711,7 @@ "Red Eyes", "Ricochet Chollima", "ScarCruft", - "Venus 121", - "TEMP.Reaper", - "Thallium", - "G0067", - "ITG10", - "ATK 4", - "Hermit", - "Geumseong121", - "Hidden Cobra" + "Venus 121" ] }, "related": [ @@ -6006,16 +5797,8 @@ "APT 40", "APT40", "BRONZE MOHAWK", - "Bronze Mohawk", "GADOLINIUM", - "Gadolinium", - "Kryptonite Panda", - "G0065", - "ITG09", - "ATK29", - "Flaccid Rose", - "Nanhaishu", - "Mudcarp" + "Kryptonite Panda" ] }, "related": [ @@ -6043,15 +5826,6 @@ "Newscaster Team" ] }, - "related": [ - { - "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", "value": "APT35" }, @@ -6216,7 +5990,6 @@ "Private sector" ], "cfr-type-of-incident": "Espionage", - "country": "RU", "mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details", "refs": [ "https://dragos.com/adversaries.html", @@ -6227,10 +6000,7 @@ "synonyms": [ "Dragonfly 2.0", "Dragonfly2", - "Berserker Bear", - "Berserk Bear", - "G0074", - "Dymalloy" + "Berserker Bear" ], "victimology": "Turkey, Europe, US" }, @@ -6651,12 +6421,6 @@ "refs": [ "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" - ], - "synonyms": [ - "G0112", - "Urpage", - "EHDevel", - "WindShift" ] }, "uuid": "dc3edacc-bb24-11e8-81fb-8c16458922a7", @@ -6919,11 +6683,6 @@ "country": "RU", "refs": [ "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" - ], - "synonyms": [ - "Indrik Spider", - "G0119", - "Gold DRAKE" ] }, "uuid": "658314bc-3bb8-48d2-913a-c528607b75c8", @@ -7062,15 +6821,7 @@ "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", - "TA 505", - "Graceful Spider", - "TEMP.Warlock", - "Chimborazo", - "G0092", - "Hive0065", - "Gold TAHOE", - "ATK 103", - "SectorJ04" + "TEMP.Warlock" ] }, "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", @@ -7129,12 +6880,7 @@ ], "synonyms": [ "TA542", - "GOLD CRESTWOOD", - "Mummy Spider", - "TA 542", - "Gold CRESTWOOD", - "ATK104", - "Mealybug" + "GOLD CRESTWOOD" ] }, "uuid": "c93281be-f6cd-4cd0-a5a3-defde9d77d8b", @@ -7201,11 +6947,7 @@ "synonyms": [ "Chafer", "REMIX KITTEN", - "Remix Kitten", - "COBALT HICKMAN", - "TA 454", - "G0087", - "ITG07" + "COBALT HICKMAN" ] }, "uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b", @@ -7468,11 +7210,7 @@ "synonyms": [ "COBALT DICKENS", "Mabna Institute", - "TA407", - "TA 407", - "Yellow Nabu", - "SilentLibrarian", - "Silent Librarian" + "TA407" ] }, "uuid": "5059b44d-2753-4977-b987-4922f09afe6b", @@ -7506,13 +7244,9 @@ "https://twitter.com/bkMSFT/status/1417823714922610689" ], "synonyms": [ - "APT 31", "ZIRCONIUM", - "Zirconium", "JUDGMENT PANDA", - "Judgment Panda", - "BRONZE VINEWOOD", - "G0128" + "BRONZE VINEWOOD" ] }, "uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c", @@ -7574,10 +7308,6 @@ "refs": [ "https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?", "https://attack.mitre.org/groups/G0053/" - ], - "synonyms": [ - "FIN 5", - "G0053" ] }, "uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70", @@ -7600,10 +7330,6 @@ "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf", "https://attack.mitre.org/groups/G0051/" - ], - "synonyms": [ - "FIN 10", - "G0051" ] }, "uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79", @@ -7883,9 +7609,7 @@ ], "synonyms": [ "Temp.Hex", - "Vicious Panda", - "TA 428", - "Bronze DUDLEY" + "Vicious Panda" ] }, "uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d", @@ -8005,11 +7729,6 @@ "https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals", "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks", "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new" - ], - "synonyms": [ - "LookBack", - "TA 410", - "TALONITE" ] }, "uuid": "5cd95926-0098-435e-892d-9c9f61763ad7", @@ -8053,7 +7772,6 @@ { "description": "For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, India, Kazakhstan, Russia, Thailand, Turkey. Our data suggest that the group has Asian roots. Description translated from Russian.", "meta": { - "country": "CN", "refs": [ "https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf" ] @@ -8314,10 +8032,7 @@ ], "synonyms": [ "GOLD ESSEX", - "TA544", - "TA 544", - "Narwhal Spider", - "Gold ESSEX" + "TA544" ] }, "uuid": "fda9cdea-0017-495e-879d-0f348db2aa07", @@ -8605,9 +8320,7 @@ "synonyms": [ "TEMP.Warlock", "UNC902", - "GRACEFUL SPIDER", - "Graceful Spider", - "Gold Evergreen" + "GRACEFUL SPIDER" ] }, "uuid": "c01aadc6-1087-4e8e-8d5c-a27eba409fe3", @@ -8762,9 +8475,7 @@ ], "synonyms": [ "UNC1151", - "TA 445", - "TA445", - "UAC-0051" + "TA445" ] }, "uuid": "749aaa11-f0fd-416b-bf6c-112f9b5930a5", @@ -8981,10 +8692,7 @@ ], "synonyms": [ "Shakthak", - "TA551", - "TA 551", - "Lunar Spider", - "G0127" + "TA551" ] }, "uuid": "36e8c848-4d20-47ea-9fc2-31aa17bf82d1", @@ -9274,11 +8982,6 @@ "meta": { "refs": [ "https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf" - ], - "synonyms": [ - "Scully Spider", - "TA 547", - "TH-163" ] }, "uuid": "29fbc8d4-1e6e-4edc-9887-bdf47f36e4c1", @@ -9291,8 +8994,7 @@ "https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf" ], "synonyms": [ - "TH-163", - "TA 554" + "TH-163" ] }, "uuid": "36f1a1b8-e03a-484f-95a3-005345679cbe", @@ -9335,33 +9037,6 @@ "uuid": "d45dd940-b38d-4b2c-9f2f-3e4a0eac841c", "value": "MosesStaff" }, - { - "description": "The group’s existence came to light during Context’s investigation of a number of attacks against multinational enterprises that compromise smaller engineering services and consultancies working in their supply chains.", - "meta": { - "country": "CN", - "refs": [ - "https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers" - ] - }, - "uuid": "8045fc09-13d6-4f90-b239-ed5060b9297b", - "value": "Avivore" - }, - { - "description": "The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released in 2014 were based on the AndroRAT framework. Over time, they switched to a custom version that has been known as BitterRAT ever since.", - "meta": { - "country": "IN", - "refs": [ - "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf" - ], - "synonyms": [ - "BitterAPT", - "T-APT-17", - "APT-C-08" - ] - }, - "uuid": "1e9bd6fe-e009-41ce-8e92-ad78c73ee772", - "value": "Bitter" - }, { "description": "An actor group conducting large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements.", "meta": { @@ -9396,5 +9071,5 @@ "value": "Scarab" } ], - "version": 216 + "version": 215 } From a08ddaf548da8dd60d0f6090754d953b1754e3b0 Mon Sep 17 00:00:00 2001 From: Rony Date: Sat, 2 Apr 2022 01:14:18 +0530 Subject: [PATCH 13/13] Add Avivore & HAZY TIGER/Bitter --- clusters/threat-actor.json | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 64241ba..d980ee7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9037,6 +9037,35 @@ "uuid": "d45dd940-b38d-4b2c-9f2f-3e4a0eac841c", "value": "MosesStaff" }, + { + "description": "The group’s existence came to light during Context’s investigation of a number of attacks against multinational enterprises that compromise smaller engineering services and consultancies working in their supply chains.", + "meta": { + "country": "CN", + "refs": [ + "https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers", + "https://www.contextis.com/en/news/context-identifies-new-avivore-threat-group", + "https://www.contextis.com/en/blog/avivore" + ] + }, + "uuid": "8045fc09-13d6-4f90-b239-ed5060b9297b", + "value": "Avivore" + }, + { + "description": "The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released in 2014 were based on the AndroRAT framework. Over time, they switched to a custom version that has been known as BitterRAT ever since.", + "meta": { + "country": "IN", + "refs": [ + "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf" + ], + "synonyms": [ + "Bitter", + "T-APT-17", + "APT-C-08" + ] + }, + "uuid": "1e9bd6fe-e009-41ce-8e92-ad78c73ee772", + "value": "HAZY TIGER" + }, { "description": "An actor group conducting large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements.", "meta": {