diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b00906e..b718a55 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2545,6 +2545,126 @@ ] }, "uuid": "35d71626-4794-11e8-b74d-bbcbe48fee3c" + }, + { + "value": "ALLANITE", + "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", + "meta": { + "refs": [ + "https://dragos.com/adversaries.html" + ], + "mode-of-operation": "Watering-hole and phishing leading to ICS recon and screenshot collection", + "since": "2017", + "capabilities": "Powershell scripts, THC Hydra, SecretsDump, Inveigh, PSExec", + "victimology": "Electric utilities, US and UK", + "synonyms": [ + "Palmetto Fusion" + ] + }, + "uuid": "a9000eaf-2b75-4ec7-8dcf-fe1bb5c77470" + }, + { + "value": "CHRYSENE", + "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", + "meta": { + "refs": [ + "https://dragos.com/adversaries.html" + ], + "mode-of-operation": "IT compromise, information gathering and recon against industrial orgs", + "since": "2017", + "capabilities": "Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR", + "victimology": "Oil and Gas, Manufacturing, Europe, MENA, North America", + "synonyms": [ + "OilRig", + "Greenbug" + ] + }, + "uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1" + }, + { + "value": "COVELLITE", + "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", + "meta": { + "refs": [ + "https://dragos.com/adversaries.html" + ], + "mode-of-operation": "IT compromise with hardened anti-analysis malware against industrial orgs", + "since": "2017", + "capabilities": "Encoded binaries in documents, evasion techniques", + "victimology": "Electric Utilities, US", + "synonyms": [ + "Lazarus", + "Hidden Cobra" + ] + }, + "uuid": "027a1428-6e79-4a4b-82b9-e698e8525c2b" + }, + { + "value": "DYMALLOY", + "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", + "meta": { + "refs": [ + "https://dragos.com/adversaries.html" + ], + "mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details", + "since": "2016", + "capabilities": "GOODOR, DORSHEL, KARAGANY, Mimikatz", + "victimology": "Turkey, Europe, US", + "synonyms": [ + "Dragonfly2", + "Berserker Bear" + ] + }, + "uuid": "a08ab076-33c1-4350-b021-650c34277f2d" + }, + { + "value": "ELECTRUM", + "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", + "meta": { + "refs": [ + "https://dragos.com/adversaries.html" + ], + "mode-of-operation": "Electric grid disruption and long-term persistence", + "since": "2016", + "capabilities": "CRASHOVERRIDE", + "victimology": "Ukraine, Electric Utilities", + "synonyms": [ + "Sandworm" + ] + }, + "uuid": "a2d44915-6cff-43cf-8a53-f4850058ad05" + }, + { + "value": "MAGNALLIUM", + "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", + "meta": { + "refs": [ + "https://dragos.com/adversaries.html" + ], + "mode-of-operation": "IT network limited, information gathering against industrial orgs", + "since": "2016", + "capabilities": "STONEDRILL wiper, variants of TURNEDUP malware", + "victimology": "Petrochemical, Aerospace, Saudi Arabia", + "synonyms": [ + "APT33" + ] + }, + "uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2" + }, + { + "value": "XENOTIME", + "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", + "meta": { + "refs": [ + "https://dragos.com/adversaries.html" + ], + "mode-of-operation": "Focused on physical destruction and long-term persistence", + "since": "2014", + "capabilities": "TRISIS, custom credential harvesting", + "victimology": "Oil and Gas, Middle East", + "synonyms": [] + }, + "uuid": "3dddc77e-a52a-466a-bf1c-1463e352077f" } ], "name": "Threat actor", @@ -2559,5 +2679,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 38 + "version": 39 }