Merge pull request #9 from cvandeplas/master

added Callisto threat actor, and removed duplicates
2025-01-19 02:56:16 +00:00 · 2016-11-16 13:40:00 +01:00 · 2016-11-16 13:40:00 +01:00 · 73ea36a29d
commit 73ea36a29d
parent 0b0821db60 b97e73b7d3
2 changed files with 20 additions and 25 deletions
--- a/clusters/threat-actors.json
+++ b/clusters/threat-actors.json
@ -98,14 +98,6 @@
      "value": "Eloquent Panda",
      "country": "CN"
    },
-    {
-      "value": "Emissary Panda",
-      "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.",
-      "refs": [
-        "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/"
-      ],
-      "country": "CN"
-    },
    {
      "value": "Dizzy Panda",
      "synonyms": [
@ -288,8 +280,10 @@
    },
    {
      "value": "Emissary Panda",
+      "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.",
      "refs": [
-        "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"
+        "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
+        "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/"
      ],
      "country": "CN",
      "synonyms": [
@ -506,6 +500,10 @@
    },
    {
      "value": "Cutting Kitten",
+      "description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.",
+      "refs": [
+        "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/"
+      ],
      "synonyms": [
        "ITSecTeam",
        "Threat Group 2889",
@ -565,17 +563,6 @@
      "value": "Sands Casino",
      "country": "IR"
    },
-    {
-      "value": "Threat Group-2889",
-      "description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.",
-      "refs": [
-        "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/"
-      ],
-      "synonyms": [
-        "TG-2889"
-      ],
-      "country": "IR"
-    },
    {
      "value": "Rebel Jackal",
      "synonyms": [
@ -606,7 +593,8 @@
        "TsarTeam",
        "TG-4127",
        "Group-4127",
-        "STRONTIUM"
+        "STRONTIUM",
+        "Grey-Cloud"
      ]
    },
    {
@ -931,6 +919,17 @@
       "value": "Volatile Cedar",
       "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .",
       "refs": ["https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf"]
+     },
+     {
+       "value": "Callisto",
+       "description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.",
+       "synonyms": [
+        "Grey-Pro",
+        "Coldriver",
+        "Reuse team",
+        "Malware reusers",
+        "Callisto Group"
+      ]
     }
  ]
 }
--- a/clusters/tools.json
+++ b/clusters/tools.json
@ -342,10 +342,6 @@
    {
      "value": "Preshin"
    },
-    {
-      "value": "Rekaf",
-      "refs": ["https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"]
-    },
    {
      "value": "Oficla"
    },