add GRP

2025-09-08 02:52:41 +00:00 · 2025-02-17 08:50:21 +01:00 · 2025-02-17 08:50:21 +01:00 · 79f85d77bb
commit 79f85d77bb
parent 9074f74820
1 changed files with 11 additions and 2 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -2312,6 +2312,7 @@
    {
      "description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.",
      "meta": {
+        "GRU": "Military unit 26165",
        "attribution-confidence": "50",
        "cfr-suspected-state-sponsor": "Russian Federation",
        "cfr-suspected-victims": [
@ -2794,6 +2795,7 @@
    {
      "description": "This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage",
      "meta": {
+        "GRU": "Military unit 74455",
        "attribution-confidence": "50",
        "cfr-suspected-state-sponsor": "Russian Federation",
        "cfr-suspected-victims": [
@ -10542,6 +10544,7 @@
    {
      "description": "A group targeting UA state organizations using the GraphSteel and GrimPlant malware.",
      "meta": {
+        "GRU": "Military unit 29155",
        "country": "RU",
        "refs": [
          "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel",
@ -10554,7 +10557,9 @@
          "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/",
          "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/",
          "https://circleid.com/posts/20230412-probing-lorec53-phishing-through-the-dns-microscope",
-          "https://nsfocusglobal.com/wp-content/uploads/2021/11/Analysis-Report-on-Lorec53-Group.pdf"
+          "https://nsfocusglobal.com/wp-content/uploads/2021/11/Analysis-Report-on-Lorec53-Group.pdf",
+          "https://www.crowdstrike.com/en-us/blog/who-is-ember-bear/",
+          "https://attack.mitre.org/groups/G1003/"
        ],
        "synonyms": [
          "UNC2589",
@ -10566,7 +10571,11 @@
          "Storm-0587",
          "DEV-0587",
          "Saint Bear",
-          "Lorec53"
+          "Lorec53",
+          "EMBER BEAR",
+          "Lorec Bear",
+          "Bleeding Bear",
+          "Saint Bear"
        ]
      },
      "uuid": "c67d3dfb-ab39-46e1-a971-5efdfe6a5b9f",